Table Of Contents
Prerequisites for the SSG Autologoff Enhancement
Restrictions for the SSG Autologoff Enhancement
Information About SSG MAC Address Checking for Autologoff
Benefits of the SSG Autologoff Enhancement
How to Configure SSG MAC Address Checking for Autologoff
Configuring SSG MAC Address Checking for Autologoff
Monitoring and Maintaining SSG MAC Address Checking for Autologoff
Configuration Examples for SSG Autologoff Enhancement
SSG MAC Address Checking for Autologoff: Example
SSG Autologoff Enhancement
The SSG Autologoff Enhancement feature configures Service Selection Gateway (SSG) to check the MAC address of a host each time that SSG performs an Address Resolution Protocol (ARP) ping. If SSG finds that the MAC address of the host has changed, SSG automatically initiates the logoff of that host.
Release Modification12.2(15)B
This feature was introduced.
12.3(4)T
This feature was implemented in Cisco IOS Release 12.3(4)T.
Feature History for the SSG Autologoff Enhancement
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•Prerequisites for the SSG Autologoff Enhancement
•Restrictions for the SSG Autologoff Enhancement
•Information About SSG MAC Address Checking for Autologoff
•How to Configure SSG MAC Address Checking for Autologoff
•Configuration Examples for SSG Autologoff Enhancement
Prerequisites for the SSG Autologoff Enhancement
Before SSG MAC address checking for autologoff can be configured, SSG must be enabled by using the ssg enable command.
Restrictions for the SSG Autologoff Enhancement
The following restrictions apply to the SSG Autologoff Enhancement feature:
•ARP ping should be used only in deployments in which all hosts are directly connected to SSG through a broadcast interface (such as an Ethernet interface) or a bridged interface (such as a routed bridge encapsulation (RBE) or integrated routing and bridging (IRB) interface). Internet Control Message Protocol (ICMP) ping can be used in all types of deployment scenarios.
•ARP ping will work only on hosts that have a MAC address. ARP ping will not work for PPP users because they do not have a MAC table entry.
•ARP ping does not support overlapping IP addresses.
•SSG autologoff that uses the ARP ping mechanism will not work for hosts that have static ARP entries.
•Session reuse is not prevented if a malicious host performs a MAC address spoof.
Information About SSG MAC Address Checking for Autologoff
To configure SSG MAC address checking for autologoff, you should understand the following concepts:
•Benefits of the SSG Autologoff Enhancement
Overview of SSG
SSG is a switching solution for service providers who offer intranet, extranet, and Internet connections to subscribers using broadband access technology such as digital subscriber lines (DSL), cable modems, or wireless to allow simultaneous access to network services.
The SSG works in conjunction with the Cisco Subscriber Edge Services Manager (SESM). Together with the SESM, SSG provides subscriber authentication, service selection, and service connection capabilities to subscribers of Internet services. Subscribers interact with the SESM web application using a standard Internet browser.
For more information about SSG, see the "Additional References" section.
ARP Ping
The ARP is an Internet protocol that is used to map IP addresses to MAC addresses in directly connected devices. A router that uses ARP will broadcast ARP requests for IP address information. When an IP address is successfully associated with a MAC address, the router stores the information in the ARP cache.
When SSG autologoff is configured to use ARP ping, SSG periodically checks the ARP cache tables. If a table entry for a host is found, SSG forces ARP to refresh the entry and checks the entry again after a configured interval. If a table entry is not found, SSG initiates autologoff for the host. However, if any data traffic to or from the host occurred during the interval, SSG does not ping the host because the reachability of the host during that interval was established by the data traffic.
When SSG MAC address checking is configured, SSG checks the MAC address of a host when an ARP ping is performed. If SSG detects a host MAC address that is different from the address at logon, it initiates an automatic logoff of that host.
Note ARP ping should be used only in deployments in which all hosts are directly connected to SSG through a broadcast interface such as an Ethernet interface or a bridged interface such as a routed bridge encapsulation (RBE) or integrated routing and bridging (IRB) interface.
ARP request packets are smaller than ICMP ping packets, so it is recommended that you configure SSG autologoff to use ARP ping in cases where hosts are directly connected.
Benefits of the SSG Autologoff Enhancement
The SSG Autologoff Enhancement feature enables service providers that use SSG to prevent a malicious host from spoofing the IP address of a logged-on host and accessing the logged-on host's services. Using SSG MAC address checking, service providers can prevent SSG host session reuse when a DHCP server assigns the same IP address to a second host because the first host released its IP address (through either a lease time expiration or an explicit DHCP release), but did not log off from SSG.
How to Configure SSG MAC Address Checking for Autologoff
This section contains the following procedures:
•Configuring SSG MAC Address Checking for Autologoff
•Monitoring and Maintaining SSG MAC Address Checking for Autologoff
Configuring SSG MAC Address Checking for Autologoff
Perform this task to configure SSG to use the ARP ping mechanism to detect connectivity and to automatically log off hosts that changed their MAC address after logon.
SUMMARY STEPS
1. enable
2. configure terminal
3. ssg auto-logoff arp match-mac-address [interval seconds]
DETAILED STEPS
Troubleshooting Tips
Use the show running-config command to verify the configuration of SSG MAC address checking for autologoff.
Monitoring and Maintaining SSG MAC Address Checking for Autologoff
Perform this task to monitor SSG MAC address checking for autologoff.
SUMMARY STEPS
1. enable
2. debug ssg ctrl-errors
3. debug ssg ctrl-events
4. debug ssg ctrl-packets
5. debug ssg data
DETAILED STEPS
Configuration Examples for SSG Autologoff Enhancement
•SSG MAC Address Checking for Autologoff: Example
SSG MAC Address Checking for Autologoff: Example
The following example shows how to enable SSG MAC address checking for autologoff:
ssg auto-logoff arp match-mac-addressThe following example shows how to enable SSG MAC address checking for autologoff and to specify an ARP ping interval of 60 seconds:
ssg auto-logoff arp match-mac-address interval 60Additional References
The following sections provide references related to the SSG Autologoff Enhancement feature.
Related Documents
Standards
Standards TitleNo new or modified standards are supported by this feature. Support for existing standards has not been modified by this feature.
—
MIBs
RFCs
RFCs TitleNo new or modified RFCs are supported by this feature. Support for existing RFCs has not been modified by this feature.
—
Technical Assistance
Command Reference
This section documents the ssg auto-logoff arp command. All other commands used with this feature are documented in the Cisco IOS Release 12.3 T command reference publications.
ssg auto-logoff arp
To configure Service Selection Gateway (SSG) to automatically log off hosts that have lost connectivity with SSG and to use the Address Resolution Protocol (ARP) ping mechanism to detect connectivity, use the ssg auto-logoff arp command in global configuration mode. To disable SSG Autologoff, use the no form of this command.
ssg auto-logoff arp [match-mac-address] [interval seconds]
no ssg auto-logoff arp
Syntax Description
Defaults
SSG autologoff is not enabled by default.
The default ARP ping interval is 30 seconds.Command Modes
Global configuration
Command History
Usage Guidelines
Use the ssg auto-logoff arp command to configure SSG to use the ARP ping mechanism to detect connectivity to hosts. Use the optional match-mac-address keyword to configure SSG to check the MAC address of a host each time that host performs an ARP ping. If the SSG finds that the MAC address of the host has changed, SSG automatically initiates the logoff of that host.
Note ARP ping should be used only in deployments in which all hosts are directly connected to SSG through a broadcast interface (such as an Ethernet interface) or a bridged interface (such as a routed bridge encapsulation (RBE) or an integrated routing and bridging (IRB) interface).
ARP request packets are smaller than Internet Control Message Protocol (ICMP) ping packets, so it is recommended that you configure SSG autologoff to use ARP ping in cases in which hosts are directly connected.
ICMP ping can be used in all types of deployments. Refer to the ssg auto-logoff icmp command reference page for more information about SSG autologoff using ICMP ping.
ARP ping will work only on hosts that have a MAC address. ARP ping will not work for PPP users because they do not have a MAC table entry.
ARP ping does not support overlapping IP addresses.
SSG autologoff that uses the ARP ping mechanism will not work for hosts with static ARP entries.
You can use only one method of SSG autologoff at a time: ARP ping or ICMP ping. If you configure SSG to use ARP ping after ICMP ping has been configured, the ICMP ping function will become disabled.
Examples
The following example shows how to enable SSG autologoff and to configure SSG to use ARP ping to detect connectivity to hosts:
ssg auto-logoff arp interval 60The following example shows how to enable SSG MAC address checking for autologoff:
ssg auto-logoff arp match-mac-addressThe following example shows how to enable SSG MAC address checking for autologoff and to specify an ARP ping interval of 60 seconds:
ssg auto-logoff arp match-mac-address interval 60Related Commands
Command Descriptionssg auto-logoff icmp
Configures the SSG to automatically log off hosts that have lost connectivity with SSG and to use the ICMP ping mechanism to detect connectivity.
Copyright © 2003 Cisco Systems, Inc. All rights reserved.