ISG Session timers

1. ISG Session timers S.Akshaya Kumar (sakskuma@cisco.com) Network Consulting Engineer WWSP WiFi

2. ISG interface GigabitEthernet 0/0.1 encapsulation dot1Q 10 ip address ... service-policy type control IP_SESSION_RULE1 ip subscriber l2-connected initiator unclassified-mac DHCP Portal AAA 1 Client obtains IP address independent of the ISG 2 IP Packet 2 policy-map type control IP_SESSION_RULE1 2 ISG session creation 2 class type control always event session-start 10 service-policy type service name PBHK_SRV 20 authorize aaa list IP_AUTHOR_LIST password cisco123 identifier mac-addr 30 service-policy type service name OG_SRV 40 service-policy type service name L4R_SRV 50 set-timer AUTHEN_TMR 10 Session-start event posted 3 3 PBHK service applied (*) 4a Access-Request username = mac 4a 5 Access-Reject 6 4b OpenGarden and L4R services applied (*) 5 6 Authentication Timer started (*) assumes that the definition of PBHK, L4R and OpenGarden are already available on the ISG

3. ISG aaa author subscriber-service default SERVER_GRP1 subscriber service password servicecisco DHCP Portal AAA http://www.cisco.com 7 L4Redirect to Portal 8 class type control always event account-logon 10 authenticate aaa list IP_AUTHEN_LIST 20 service-policy type service unapply name L4R_SRV 30 service-policy type service unapply name OG_SRV ! class type control BASIC_HSI_SRV_CM event service-start 10 service-policy type service identifier service- name HTTP Redirect. User self-registers 9 CoA Req. Account Logon username, password 10a Account-Logon event posted 10b Access-Request username, password 11a 11a 10b Service-start event posted Access-Accept service: BASIC_HSI_SRV 11b 15 11c Access-Request BASIC_HSI_SRV, srvpwd 12a 11c Access-Accept BASIC_HSI_SRV definition 12b 12a Service-Name: “BASIC_HSI_SRV” Service-Password: “servicecisco” Attr 28: idle-timeout = 600 AVPair: “subscriber:accounting-list= IP_ACCNT_LIST” ServiceInfo: QU;256000;D;768000; BASIC_HSI_SRV is applied 13 Accounting-Request (Start) and Response 12b 14 15 L4R and OpenGarden services are unapplied CoA Ack. Account Logon 10c http://www.cisco.com 16 Simplified call flow

4. 1) Manage Walk-by users - Unauth-timer set-timername-of-timerminutes ! class-map type control match-all UNAUTH_TIMER_CM match timer UNAUTH_TIMER match authen-status unauthenticated ! policy-map type control RULE class type control UNAUTH_TIMER_CM event timed-policy-expiry 10 service disconnect class type control always event session-start 70 set-timer UNAUTH_TIMER 10 !

5. Web Logoff Web Portal Web Logoff RADIUS CoA Account-Logoff ISG ICMP/ARP keepalive failure ISG Keepalive failure ICMP Keepalives used for routed sessions ARP keepalives used for l2-connected sessions Session Termination IP Sessions

6. 2) Idle timer Sets the maximum number of consecutive seconds of idle connection allowed to the user before the session terminates. This attribute value becomes the per-user "session-timeout.“ Configuration to implement either at Broadhop (or) with CLI -local in ISG

7. 3) Web Logoff timer Upon a account-logoff event, disconnect after a 10 second delay. This should ensure that the client TCP sessions close before disconnection policy-map type control RULE class type control always event account-logoff 10 service disconnect delay 10 !

8. 4) KeepAlive with idle timer Configures the allowable idle period, maximum number of attempts to connect, the interval between attempts, and the communication protocol to be used. • The ranges and defaults are as follows: •  Idle period: range is 5 to10 seconds; default is 10 seconds. •  Attempts: range is 3 to 10; default is 5. •  Interval: default is 1 to 10 seconds. •  Protocol: for Layer 2 connections, the default is ARP; for routed connections, the default is ICMP. •  Broadcast option: by default this option is disabled. Configuration to implement either at Broadhop (or) with CLI -local in ISG