Guest

Cisco IOS Software Releases 12.2 Special and Early Deployments

SSG Autologoff Enhancement

  • Viewing Options

  • PDF (311.2 KB)
  • Feedback
SSG Autologoff Enhancement

Table Of Contents

SSG Autologoff Enhancement

Contents

Prerequisites for the SSG Autologoff Enhancement

Restrictions for the SSG Autologoff Enhancement

Information About SSG MAC Address Checking for Autologoff

Overview of SSG

ARP Ping

Benefits of the SSG Autologoff Enhancement

How to Configure SSG MAC Address Checking for Autologoff

Configuring SSG MAC Address Checking for Autologoff

Troubleshooting Tips

Monitoring and Maintaining SSG MAC Address Checking for Autologoff

Configuration Examples for SSG Autologoff Enhancement

SSG MAC Address Checking for Autologoff: Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Command Reference

ssg auto-logoff arp


SSG Autologoff Enhancement


The SSG Autologoff Enhancement feature configures Service Selection Gateway (SSG) to check the MAC address of a host each time that SSG performs an Address Resolution Protocol (ARP) ping. If SSG finds that the MAC address of the host has changed, SSG automatically initiates the logoff of that host.

Release
Modification

12.2(15)B

This feature was introduced.

12.3(4)T

This feature was implemented in Cisco IOS Release 12.3(4)T.


Feature History for the SSG Autologoff Enhancement

Finding Support Information for Platforms and Cisco IOS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Contents

Prerequisites for the SSG Autologoff Enhancement

Restrictions for the SSG Autologoff Enhancement

Information About SSG MAC Address Checking for Autologoff

How to Configure SSG MAC Address Checking for Autologoff

Configuration Examples for SSG Autologoff Enhancement

Additional References

Command Reference

Prerequisites for the SSG Autologoff Enhancement

Before SSG MAC address checking for autologoff can be configured, SSG must be enabled by using the ssg enable command.

Restrictions for the SSG Autologoff Enhancement

The following restrictions apply to the SSG Autologoff Enhancement feature:

ARP ping should be used only in deployments in which all hosts are directly connected to SSG through a broadcast interface (such as an Ethernet interface) or a bridged interface (such as a routed bridge encapsulation (RBE) or integrated routing and bridging (IRB) interface). Internet Control Message Protocol (ICMP) ping can be used in all types of deployment scenarios.

ARP ping will work only on hosts that have a MAC address. ARP ping will not work for PPP users because they do not have a MAC table entry.

ARP ping does not support overlapping IP addresses.

SSG autologoff that uses the ARP ping mechanism will not work for hosts that have static ARP entries.

Session reuse is not prevented if a malicious host performs a MAC address spoof.

Information About SSG MAC Address Checking for Autologoff

To configure SSG MAC address checking for autologoff, you should understand the following concepts:

Overview of SSG

ARP Ping

Benefits of the SSG Autologoff Enhancement

Overview of SSG

SSG is a switching solution for service providers who offer intranet, extranet, and Internet connections to subscribers using broadband access technology such as digital subscriber lines (DSL), cable modems, or wireless to allow simultaneous access to network services.

The SSG works in conjunction with the Cisco Subscriber Edge Services Manager (SESM). Together with the SESM, SSG provides subscriber authentication, service selection, and service connection capabilities to subscribers of Internet services. Subscribers interact with the SESM web application using a standard Internet browser.

For more information about SSG, see the "Additional References" section.

ARP Ping

The ARP is an Internet protocol that is used to map IP addresses to MAC addresses in directly connected devices. A router that uses ARP will broadcast ARP requests for IP address information. When an IP address is successfully associated with a MAC address, the router stores the information in the ARP cache.

When SSG autologoff is configured to use ARP ping, SSG periodically checks the ARP cache tables. If a table entry for a host is found, SSG forces ARP to refresh the entry and checks the entry again after a configured interval. If a table entry is not found, SSG initiates autologoff for the host. However, if any data traffic to or from the host occurred during the interval, SSG does not ping the host because the reachability of the host during that interval was established by the data traffic.

When SSG MAC address checking is configured, SSG checks the MAC address of a host when an ARP ping is performed. If SSG detects a host MAC address that is different from the address at logon, it initiates an automatic logoff of that host.


Note ARP ping should be used only in deployments in which all hosts are directly connected to SSG through a broadcast interface such as an Ethernet interface or a bridged interface such as a routed bridge encapsulation (RBE) or integrated routing and bridging (IRB) interface.


ARP request packets are smaller than ICMP ping packets, so it is recommended that you configure SSG autologoff to use ARP ping in cases where hosts are directly connected.

Benefits of the SSG Autologoff Enhancement

The SSG Autologoff Enhancement feature enables service providers that use SSG to prevent a malicious host from spoofing the IP address of a logged-on host and accessing the logged-on host's services. Using SSG MAC address checking, service providers can prevent SSG host session reuse when a DHCP server assigns the same IP address to a second host because the first host released its IP address (through either a lease time expiration or an explicit DHCP release), but did not log off from SSG.

How to Configure SSG MAC Address Checking for Autologoff

This section contains the following procedures:

Configuring SSG MAC Address Checking for Autologoff

Monitoring and Maintaining SSG MAC Address Checking for Autologoff

Configuring SSG MAC Address Checking for Autologoff

Perform this task to configure SSG to use the ARP ping mechanism to detect connectivity and to automatically log off hosts that changed their MAC address after logon.

SUMMARY STEPS

1. enable

2. configure terminal

3. ssg auto-logoff arp match-mac-address [interval seconds]

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

ssg auto-logoff arp match-mac-address [interval seconds]

Example:

Router(config)# ssg auto-logoff arp match-mac-address

Configures SSG to automatically log off hosts that have a changed MAC address and to use the ARP ping mechanism to detect connectivity.

Troubleshooting Tips

Use the show running-config command to verify the configuration of SSG MAC address checking for autologoff.

Monitoring and Maintaining SSG MAC Address Checking for Autologoff

Perform this task to monitor SSG MAC address checking for autologoff.

SUMMARY STEPS

1. enable

2. debug ssg ctrl-errors

3. debug ssg ctrl-events

4. debug ssg ctrl-packets

5. debug ssg data

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

debug ssg ctrl-errors

Example:

Router# debug ssg ctrl-errors

Displays all error messages for control modules.

Step 3 

debug ssg ctrl-events

Example:

Router# debug ssg ctrl-events

Displays all event messages for control modules, including autologoff events.

Step 4 

debug ssg ctrl-packets

Example:

Router# debug ssg ctrl-packets

Displays packet contents handled by control modules.

Step 5 

debug ssg data

Example:

Router# debug ssg data

Displays all data-path packets.

Configuration Examples for SSG Autologoff Enhancement

SSG MAC Address Checking for Autologoff: Example

SSG MAC Address Checking for Autologoff: Example

The following example shows how to enable SSG MAC address checking for autologoff:

ssg auto-logoff arp match-mac-address 

The following example shows how to enable SSG MAC address checking for autologoff and to specify an ARP ping interval of 60 seconds:

ssg auto-logoff arp match-mac-address interval 60

Additional References

The following sections provide references related to the SSG Autologoff Enhancement feature.

Related Documents

Related Topic
Document Title

Cisco IOS commands

Cisco IOS Master Commands List, Release 12.3(4)T

SSG configuration tasks and commands

Service Selection Gateway, 12.2(8)T new-feature document

Service Selection Gateway Accounting Update Interval per Service, 12.2(13)T new-feature document

SSG AutoDomain, 12.2(13)T new-feature document

Service Selection Gateway Hierarchical Policing, 12.2(13)T new-feature document

SSG TCP Redirect for Services, 12.2(13)T new-feature document

SSG Autologon Using Proxy Radius, 12.2(13)T new-feature document

SSG Autologoff, 12.2(13)T new-feature document

SSG Port-Bundle Host Key, 12.2(13)T new-feature document

SSG Open Garden, 12.2(13)T new-feature document

SSG Prepaid, 12.2(13)T new-feature document


Standards

Standards
Title

No new or modified standards are supported by this feature. Support for existing standards has not been modified by this feature.


MIBs

MIBs
MIBs Link

No new or modified MIBs are supported by this feature. Support for existing MIBs has not been modified by this feature.

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs


RFCs

RFCs
Title

No new or modified RFCs are supported by this feature. Support for existing RFCs has not been modified by this feature.


Technical Assistance

Description
Link

Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.

http://www.cisco.com/public/support/tac/home.shtml


Command Reference

This section documents the ssg auto-logoff arp command. All other commands used with this feature are documented in the Cisco IOS Release 12.3 T command reference publications.

ssg auto-logoff arp

To configure Service Selection Gateway (SSG) to automatically log off hosts that have lost connectivity with SSG and to use the Address Resolution Protocol (ARP) ping mechanism to detect connectivity, use the ssg auto-logoff arp command in global configuration mode. To disable SSG Autologoff, use the no form of this command.

ssg auto-logoff arp [match-mac-address] [interval seconds]

no ssg auto-logoff arp

Syntax Description

match-mac-address

(Optional) Configures SSG to check the MAC address of a host each time that host performs an ARP ping.

interval seconds

(Optional) ARP ping interval, in seconds. The interval specified is rounded to the nearest multiple of 30. An interval of less than 30 is rounded up to 30 seconds. The default interval is 30 seconds.


Defaults

SSG autologoff is not enabled by default.
The default ARP ping interval is 30 seconds.

Command Modes

Global configuration

Command History

Release
Modification

12.2(4)B

This command was introduced.

12.2(13)T

This command was integrated into Cisco IOS Release 12.2(13)T.

12.2(15)B

The match-mac-address keyword was added.

12.3(4)T

The match-mac-address keyword was integrated into Cisco IOS Release 12.3(4)T.


Usage Guidelines

Use the ssg auto-logoff arp command to configure SSG to use the ARP ping mechanism to detect connectivity to hosts. Use the optional match-mac-address keyword to configure SSG to check the MAC address of a host each time that host performs an ARP ping. If the SSG finds that the MAC address of the host has changed, SSG automatically initiates the logoff of that host.


Note ARP ping should be used only in deployments in which all hosts are directly connected to SSG through a broadcast interface (such as an Ethernet interface) or a bridged interface (such as a routed bridge encapsulation (RBE) or an integrated routing and bridging (IRB) interface).


ARP request packets are smaller than Internet Control Message Protocol (ICMP) ping packets, so it is recommended that you configure SSG autologoff to use ARP ping in cases in which hosts are directly connected.

ICMP ping can be used in all types of deployments. Refer to the ssg auto-logoff icmp command reference page for more information about SSG autologoff using ICMP ping.

ARP ping will work only on hosts that have a MAC address. ARP ping will not work for PPP users because they do not have a MAC table entry.

ARP ping does not support overlapping IP addresses.

SSG autologoff that uses the ARP ping mechanism will not work for hosts with static ARP entries.

You can use only one method of SSG autologoff at a time: ARP ping or ICMP ping. If you configure SSG to use ARP ping after ICMP ping has been configured, the ICMP ping function will become disabled.

Examples

The following example shows how to enable SSG autologoff and to configure SSG to use ARP ping to detect connectivity to hosts:

ssg auto-logoff arp interval 60

The following example shows how to enable SSG MAC address checking for autologoff:

ssg auto-logoff arp match-mac-address

The following example shows how to enable SSG MAC address checking for autologoff and to specify an ARP ping interval of 60 seconds:

ssg auto-logoff arp match-mac-address interval 60

Related Commands

Command
Description

ssg auto-logoff icmp

Configures the SSG to automatically log off hosts that have lost connectivity with SSG and to use the ICMP ping mechanism to detect connectivity.