Manuals / Cisco Systems / Computer Equipment / Network Router

Cisco Systems OL-4387-02 manual SSG Session and Idle Timeout

Models: OL-4387-02

1 110

Download 110 pages 54.42 Kb

Page 30

SSG Session and Idle Timeout

Chapter 3 SSG Logon and Logoff

SSG Session and Idle Timeout

Example 3-5shows how to configure the SSG TCP Redirect feature for a specific service. The commands redirect all prepaid service traffic to the captive portal group called "InternetRedirectGroup" and configure the captive portal group as the server group used for redirecting prepaid traffic.

Example 3-5 SSG Service-Specific TCP Redirect

ssg enable

ssg tcp-redirect

server-group InternetRedirectGroup server 10.0.0.1 8080

server 10.0.0.20 80 end

The service profile for InternetRedirectGroup is shown here:

ServiceInfo="Z"

(Optional) You can configure SSG to reauthorize a prepaid user's connection before the user has completely consumed the allotted quota for a service. To do this, enter the global-configuration commands shown below to configure a time-based or a volume-based threshold value. Example 3-6shows how to configure a threshold time value of 10 seconds. Example 3-7shows how to configure threshold volume value of 2000 bytes.

Example 3-6 SSG Threshold Time

ssg prepaid threshold time 10

Example 3-7 SSG Threshold Volume

ssg prepaid threshold volume 2000

SSG Session and Idle Timeout

In a dial-up networking or bridged (non-PPP) network environment, a user can disconnect from the network access server (NAS) and release the IP address without logging out from the SSG. When this happens, the SSG continues to allow traffic to pass from that IP address, which can create a problem if the another user obtains the same IP address. SSG provides two mechanisms to prevent this problem from occurring:

•Session-Timeout RADIUS attribute—Specifies the maximum length of time for which a host or connection object can remain continuously active.

•Idle-Timeout RADIUS attribute—Specifies the maximum length of time for which a session or connection can remain idle before it is disconnected.

The Session-Timeout and Idle-Timeout attributes are used in either a user or service profile. In a user profile, the attribute applies to the user session. In a service profile, the attribute applies individually to each service connection.

Cisco 10000 Series Router Service Selection Gateway Configuration Guide

3-6	OL-4387-02

Image 30

Cisco Systems OL-4387-02 manual SSG Session and Idle Timeout

Contents

Cisco Systems, Inc 170 West Tasman Drive San Jose, CA JanuaryCorporate Headquarters 800 553-NETS Fax 408Copyright 2004, Cisco Systems, Inc All rights reserved C O N T E N T S Service Selection Gateway OverviewDefault Network AudienceConfiguration Examples for Account Login and Logout Configuration Example for SSG AutoDomainConfiguration Example for SSG Prepaid Configuration of SSG AutologoffService Profiles Configuration Example for SSG Open GardenConfiguration of Mutually Exclusive Service Selection Service-Defined CookieConfiguring Port-Based Redirection for Unauthenticated Users Configuration of VPI/VCI Static Binding to a Service ProfileInterface Configuration Limiting Redirection for Unauthenticated UsersRestrictions for SSG Unconfig SSG UnconfigPer-Service Statistics Service Translationviii ContentsOL-4387-02 Document Organization About This GuideAudience ChapterTitle Document ConventionsChapter DescriptionRelated Documentation Cisco 10000 Series Router Feature MapCisco 10000 Series Router Software Configuration Guides Obtaining DocumentationDocumentation CD-ROM Documentation FeedbackObtaining Technical Assistance Ordering DocumentationTAC Case Priority Definitions Cisco TAC WebsiteOpening a TAC Case http//tools.cisco.com/RPF/register/register.doObtaining Additional Publications and Information Service Selection Gateway Overview Service Selection GatewayC H A P T E R Figure 1-1 SSG Topology Example Packets from a User and Destined for the Default Network Default NetworkAccess Protocols Packets from the Default Network and Destined for an SSG UserService Selection Methods, page Service Connection, page Supported SSG FeaturesSSG Logon and Logoff, page Authentication and Accounting, page Service Profiles and Cached Service Profiles, pageAny interface requiring tunneling for example, L2TP or GRE tunneling Internet SSG PrerequisitesSSG Architecture Model GamingIn Figure 1-2, subscribers access the SESM web portal application using any web browser on a variety of devices such as a desktop computer over DSL. The Cisco 10000 series router the SSG node forwards unauthenticated SSG traffic from the subscriber to SESM, configured as the captive portal and default network. The SSG feature set of the router allows the service provider to design a service selection access network Chapter 1 Service Selection Gateway Overview SSG Architecture Model OL-4387-02Scalability and Performance Limitations and RestrictionsC H A P T E R Best-Access to network B at rate Good-Access to network B at rate Single Host Logon SSG Prepaid Idle Timeout, page SSG Session and Idle Timeout, pageSSG Logon and Logoff Prerequisites for Single Host LogonRestrictions for SSG Autologoff Configuration of SSG AutologoffSSG Autologoff ARP pingSSG Prepaid Idle Timeout Configuration Example for SSG AutologoffService Authorization Service ReauthorizationConfiguration of SSG Prepaid Idle Timeout Restrictions for SSG Prepaid Idle TimeoutPrerequisites for SSG Prepaid Idle Timeout Configuration Example for SSG Prepaid Idle TimeoutSSG Session and Idle Timeout SSG Full Username RADIUS Attribute Authentication and AccountingConfiguration Examples for SSG Full Username RADIUS Attribute Restrictions for SSG Full Username RADIUS AttributeAccount Login and Logout, page Account Login and LogoutConfiguration Examples for Account Login and Logout Service Connection and Termination, pageService Connection and Termination Configuration Examples for Service Connection and TerminationService-Type-Indicates the type of service PPP Terminated Aggregation Service Selection MethodsWeb Service Selection, page PTA-MultidomainWeb Service Selection Restrictions for PTA-MDSESM and SSG Performance Chapter 5 Service Selection Methods Web Service Selection OL-4387-02SSG AutoDomain Service ConnectionMutually Exclusive Service Selection, page SSG AutoDomain, page SSG Prepaid, page SSG Open Garden, pageConfiguration of SSG AutoDomain Configuration Example for SSG AutoDomainRestrictions for SSG AutoDomain Example 6-1 SSG AutoDomain Example 6-2 AutoDomain Exclude Profile SSG VSA FormatExample 6-3 AutoDomain Exclude File Format Configuration of SSG Prepaid SSG PrepaidRestrictions for SSG Prepaid Configuration Example for SSG Prepaid SSG Open GardenSSG Open Garden, Release 12.24B feature module Configuration of SSG Open GardenConfiguration Example for SSG Open Garden SSG Port-Bundle Host KeyRestrictions for SSG Port-Bundle Host Key SSG Port-Bundle Host Key, Release 12.24B feature module Mutually Exclusive Service SelectionConfiguration of SSG Port-Bundle Host Key Exclude NetworksConfiguration of Mutually Exclusive Service Selection Configuration Example for Mutually Exclusive Service SelectionExample 6-5 Configuring a Mutually Exclusive Service Selection Group 6-10 Chapter 6 Service Connection Mutually Exclusive Service SelectionOL-4387-02 Service Profiles, page Cached Service Profiles, page Service ProfilesDownstream Access Control List Service Profiles and Cached Service ProfilesDomain Name Upstream Access Control ListService Authentication Type Full UsernameService Mode Service-Defined CookieService Description Service Next-Hop GatewayCached Service Profiles Type of ServiceService Profile Example Configuration of Cached Service Profiles Chapter 7 Service Profiles and Cached Service Profiles Cached Service ProfilesOL-4387-02 SSG Hierarchical Policing Token Bucket Scheme SSG Hierarchical PolicingSSG Hierarchical Policing Overview C H A P T E RSSG Hierarchical Policing Configuration Restrictions for SSG Hierarchical PolicingRouterconfig# local-profile cisco.com Configuration Examples for SSG Hierarchical PolicingConfiguration Examples for SSG Hierarchical Policing Routerconfig-prof# attribute 26 9 1 “QU1600030004000D2400040008000”Configuration Examples for SSG Hierarchical Policing Chapter 8 SSG Hierarchical PolicingOL-4387-02 Transparent Passthrough, page Interface ConfigurationTransparent Passthrough C H A P T E RAccess Side Interfaces Network Side Interfaces Configuration of Transparent PassthroughMulticast Protocols on SSG Interfaces Restrictions of Transparent PassthroughConfiguration of Multicast Protocols on SSG Interfaces Redirection for Unauthorized Services, page Initial Captivation, page Redirection for Unauthenticated UsersRedirection for Unauthenticated Users, page SSG TCP RedirectRedirection for Unauthorized Services 10-2group-name Initial Captivation 10-3Prerequisites for SSG TCP Redirect Configuration of SSG TCP RedirectRestrictions for SSG TCP Redirect 10-4Limiting Redirection for Unauthenticated Users Configuration Considerations for SSG TCP RedirectConfiguring Port-Based Redirection for Unauthenticated Users Configuration Considerations for SSG TCP Redirect, pagePurpose Configuring SSG TCP RedirectCommand 10-6Configuration Example for Network Lists Configuration Examples for SSG TCP RedirectConfiguration Example for Server Groups Configuration Example for Server Groups, pageExample 10-5 Defining Port Lists Configuration Example for Port Lists10-8 Chapter 10 SSG TCP RedirectRestrictions for VPI/VCI Static Binding to a Service Profile Miscellaneous SSG FeaturesVPI/VCI Static Binding to a Service Profile Configuration of VPI/VCI Static Binding to a Service ProfileRestrictions for AAA Server Group Support for Proxy Services AAA Server Group Support for Proxy ServicesConfiguration of RADIUS Virtual Circuit Logging RADIUS Virtual Circuit LoggingDownstream Access Control List-outacl, page Configuration of AAA Server Group Support for Proxy ServicesConfiguration Example for AAA Server Group Support for Proxy Services Upstream Access Control List-inacl, pageRestrictions for Packet Filtering Downstream Access Control List-outaclUpstream Access Control List-inacl 11-4Configuration Example for Packet Filtering SSG UnconfigConfiguration of Packet Filtering Restrictions for SSG UnconfigConfiguration Examples for SSG Unconfig Prerequisites for SSG UnconfigConfiguration of SSG Unconfig 11-6Service Translation, page Expansion of Service IDs, page SSG Enhancements for Overlapping ServicesService Translation 11-711-8 Set1 0.0.0.0/0.0.0.0 Set2 10.58.253.0/255.255.255.0 Set3Restrictions for Service Translation Prerequisites for Service Translation11-9 Enables service translation and indicates to the router to use the Configuration of Service TranslationConfiguration Example for Service Translation Service DefinitionsConfiguration Example for Expansion of Service IDs Expansion of Service IDsRestrictions for Expansion of Service IDs 11-11Network Sets 11-12Command Monitoring and Maintaining SSG12-1 C H A P T E RRestrictions for Per-Service Statistics Troubleshooting RADIUSPer-Service Statistics Removes the specified service12-3 Monitoring the Parallel Express Forwarding EngineReference Guide CommandMonitoring the Parallel Express Forwarding Engine 12-4Chapter 12 Monitoring and Maintaining SSG OL-4387-02SSG Configuration Example A P P E N D I X AExample A-1 Cisco 10000 Router SSG Configuration Appendix A SSG Configuration ExampleAppendix A SSG Configuration Example OL-4387-02Appendix A SSG Configuration Example OL-4387-02Appendix A SSG Configuration Example OL-4387-02ntp clock-period 17181406 ntp update-calendar Appendix A SSG Configuration Exampleexec-timeout 0 0 password lab OL-4387-02A P P E N D I X B SSG FeatureSSG Implementation Notes Implementation NotesSSG Feature Implementation NotesAlso see the “Restrictions for SSG TCP Redirect” section on page SSG FeatureImplementation Notes Appendix B SSG Implementation Notes OL-4387-02G L O S S A R Y Digital Subscriber LineGL-1 GL-2 GL-3 GL-4 GL-5 Glossary GL-6xDSL OL-4387-02I N D E See CEFIN-1 Idle Timeout Attribute 28 3-4 IN-2idle timeout inacl attributeSee PXF See PPPIN-3 AutoDomain See RBEIN-4 Exclude Networks 6-8IN-5 VC G-5 VCI G-5 vendor-specific attributes definition G-5 See VPIIN-6 virtual channel identifier See VCI virtual circuit See VCweb service selection 5-2 web sites accessing through Open Garden 6-5 IN-7VPI G-5 VPI/VCI implementation notes B-3 service profiles subscriber VRF G-5 VSA definition G-5IN-8 IndexOL-4387-02