Cisco IOS Service Selection Gateway Configuration Guide, Release 12.4
Configuring SSG to Log Off Subscribers
Downloads: This chapterpdf (PDF - 208.0KB) The complete bookPDF (PDF - 3.64MB) | Feedback

Configuring SSG to Log Off Subscribers

Table Of Contents

Configuring SSG to Log Off Subscribers

Feature Information

Contents

Prerequisites for Configuring SSG to Log Off Subscribers

Information About Configuring SSG to Log Off Subscribers

Graceful Logoff

Disconnection Through the Web Services Gateways

SSG Autologoff

SSG Autologoff Using ARP Ping

MAC Address Checking for Autologoff

SSG Autologoff Using ICMP Ping

SSG Autologoff Using SSG/DHCP Awareness

Benefits of SSG Autologoff

SSG Session Timeout and Idle Timeout

How to Configure SSG to Log Off Subscribers

Configuring SSG Autologoff

Restrictions

Configuring Global SSG Session Timeouts and Idle Timeouts

Troubleshooting SSG Subscriber Logoff

Configuration Examples for Configuring SSG to Log Off Subscribers

SSG Autologoff Using ARP Ping: Example

SSG Autologoff Using ICMP Ping: Example

SSG MAC Address Checking for Autologoff: Example

SSG Autologoff Using SSG/DHCP Awareness: Example

Additional References

Related Documents

RFCs

Technical Assistance

Feature Information for Configuring SSG to Log Off Subscribers


Configuring SSG to Log Off Subscribers


First Published: May 2, 2005
Last Updated: October 2, 2009

Note Effective with Cisco IOS Release 15.0(1)M, this feature is not available in Cisco IOS software.


Service Selection Gateway (SSG) supports the following methods of subscriber logoff:

Graceful logoff, in which the subscriber initiates the logoff procedure at the end of a session

Disconnection through the Web Services Gateway (WSG)

The SSG Autologoff feature, which automatically logs off SSG subscribers

Session timeouts and idle timeouts

This document describes these logoff methods and explains how to configure SSG to implement them.

Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Configuring SSG to Log Off Subscribers" section.

Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Contents

Prerequisites for Configuring SSG to Log Off Subscribers

Information About Configuring SSG to Log Off Subscribers

How to Configure SSG to Log Off Subscribers

Configuration Examples for Configuring SSG to Log Off Subscribers

Additional References

Feature Information for Configuring SSG to Log Off Subscribers

Prerequisites for Configuring SSG to Log Off Subscribers

Before you can perform the tasks in this module, SSG must be enabled.

The tasks in this document assume that you know how to configure Address Resolution Protocol (ARP) and Internet Control Message Protocol (ICMP).

Information About Configuring SSG to Log Off Subscribers

To configure SSG to log off subscribers, you should understand the following concepts:

Graceful Logoff

Disconnection Through the Web Services Gateways

SSG Autologoff

SSG Session Timeout and Idle Timeout

Graceful Logoff

Graceful logoff occurs when the subscriber decides to end a session and clicks the Log Off button. This is the typical method of ending a session, and SSG supports it by default; you do not have to configure SSG to support graceful logoff.

Disconnection Through the Web Services Gateways

A third-party management tool can use a Web Services Gateway (WSG), which is part of Cisco's Subscriber Edge Services Manager (SESM) system, to send logoff messages to SSG. For information about configuring SESM to support disconnection through WSGs, refer to the Cisco Subscriber Edge Services Manager documentation. You do not have to configure SSG to support disconnection through WSGs.

SSG Autologoff

When SSG automatic logoff (autologoff) is configured, SSG checks the status of the connection with each host at configured intervals. If SSG finds that a host is not reachable, SSG automatically initiates the logoff of that host. SSG has two methods of checking the connectivity of hosts: ARP ping and ICMP ping. The following sections provide more information about SSG Autologoff:

SSG Autologoff Using ARP Ping

SSG Autologoff Using ICMP Ping

SSG Autologoff Using SSG/DHCP Awareness

MAC Address Checking for Autologoff

Benefits of SSG Autologoff

SSG Autologoff Using ARP Ping

ARP is an Internet protocol used to map IP addresses to MAC addresses. For directly connected devices, the router broadcasts ARP requests that contain IP address information. When an IP address is successfully associated with a MAC address, the router stores the information in the ARP cache.

When SSG autologoff is configured to use ARP ping, SSG periodically refreshes the ARP entry. If the ARP entry is not found, SSG initiates autologoff for the host.

If any data traffic is flowing to or from the host during the interval, SSG does not ping the host.


Note ARP ping should be used only in deployments where all hosts are directly connected to SSG through a broadcast interface, such as an Ethernet interface, or a bridged interface, such as a routed bridge encapsulation (RBE) or an integrated routing and bridging (IRB) interface.


ARP request packets are smaller than ICMP ping packets, so Cisco recommends that you configure SSG autologoff to use ARP ping in deployments where hosts are directly connected.

MAC Address Checking for Autologoff

You can configure SSG to check the MAC address of a host each time that SSG performs an ARP ping. If SSG finds that the MAC address of the host has changed, SSG automatically initiates the logoff of that host.

SSG Autologoff Using ICMP Ping

The ICMP is a network-layer Internet protocol that reports errors and provides other information relevant to IP packet processing. An ICMP ping is the echo message and echo-reply message used to check for connectivity between devices.

When SSG autologoff is configured to use the ICMP ping mechanism, SSG pings the host to check connectivity until an ICMP response (successful ping) is obtained or the allowable number of tries is used up. If all the tries are used up and the ping was unsuccessful, SSG initiates logoff for that host. Pinging occurs once every configured interval.

As with ARP ping, if any data traffic to or from the host is found during the interval, SSG will not ping the host because reachability was established by the data traffic.

ICMP ping works in all types of deployments and supports overlapping IP users.

SSG Autologoff Using SSG/DHCP Awareness

When a subscriber's router acts either as an IOS DHCP server or an IOS DHCP relay agent and the subscriber is a DHCP client, then configuring SSG/DHCP Awareness will remove the SSG host object. When an active host object receives a DHCPRELEASE or when the DHCP lease for an active host object expires, the SSG host object is removed.

For more information on SSG Autologoff Using SSG/DHCP Awareness, see the Configuring SSG On-Demand IP Address Renewal and SSG/DHCP Awareness module.

Benefits of SSG Autologoff

The SSG Autologoff feature enables service providers that use SSG to offer subscribers per-minute billing plans for services. SSG autologoff also prevents subscribers from being charged for periods of time in which they were not active.

SSG MAC address checking enables service providers that use SSG to prevent a malicious host from spoofing the IP address of a logged-on host and accessing the logged-on host's services. The MAC address-checking functionality allows service providers to prevent SSG host session reuse when a Dynamic Host Configuration Protocol (DHCP) server assigns the same IP address to a second host because the first host released its IP address (through either a lease-time expiration or an explicit DHCP release), but did not log off from SSG.

SSG Session Timeout and Idle Timeout

In a dialup networking or bridged (non-PPP) network environment, a user can disconnect from the network access server (NAS) and release the IP address without logging out from SSG. Potentially, the NAS could assign the same IP address to another user. In this kind of instance, SSG continues to allow traffic to pass from that IP address. SSG provides two mechanisms to prevent this problem from occurring:

Session-Timeout—An attribute that specifies the maximum length of time for which a host or connection can remain continuously active.

Idle-Timeout—An attribute that specifies the maximum length of time for which a session or connection can remain idle before it is disconnected.

User Session-Timeout and Idle-Timeout can be present in the user-profile RADIUS attributes and can be configured globally. When present, these attributes are applied to each user session and supersede the global configuration.

Service Session-Timeout and Idle-Timeout are configured in the service profile and apply individually to each service connection.

The Idle-Timeout and Session-Timeout attributes in the profile are standard RADIUS attributes as described in RFC 2865.

How to Configure SSG to Log Off Subscribers

This section contains the following tasks:

Configuring SSG Autologoff

Configuring Global SSG Session Timeouts and Idle Timeouts

Troubleshooting SSG Subscriber Logoff

Configuring SSG Autologoff

Perform this task to configure SSG to automatically log off hosts that have lost connectivity with SSG.

Restrictions

The following restrictions apply to the SSG Autologoff feature:

You should use only ARP ping in deployments in which all hosts are directly connected (on Layer 2) to SSG through a broadcast interface such as an Ethernet interface or a bridged interface such as a routed bridge encapsulation or integrated routing and bridging (IRB) interface. You can use Internet Control Message Protocol (ICMP) ping in all types of deployment.

ARP ping works only on hosts that have a MAC address. So, for example, ARP ping does not work for PPP users because they do not have a MAC table entry.

ARP ping does not support overlapping users' IP addresses.

SSG autologoff that uses the ARP ping mechanism does not work for hosts that have static ARP entries.

You can use only one method of SSG autologoff at a time: ARP ping or ICMP ping.

Session reuse is not prevented if a malicious host performs a MAC address spoof.

SUMMARY STEPS

1. enable

2. configure terminal

3. ssg auto-logoff arp [match-mac-address] [interval seconds]

4. ssg auto-logoff icmp [timeout milliseconds] [packets number] [interval seconds]

5. ssg intercept dhcp

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

ssg auto-logoff arp [match-mac-address] [interval seconds]

Example:

Router(config)# ssg auto-logoff arp match-mac-address interval 60

Configures SSG to automatically log off hosts and to use the ARP ping mechanism to detect connectivity.

Step 4 

ssg auto-logoff icmp [timeout milliseconds] [packets number] [interval seconds]

Example:

Router(config)# ssg auto-logoff icmp timeout 300 packets 3 interval 60

Configures SSG to automatically log off hosts that have lost connectivity with SSG and to use the ICMP ping mechanism to detect connectivity.

Step 5 

ssg intercept dhcp

Example:

Router(config)# ssg intercept dhcp

Configures SSG to automatically log off hosts when a DHCPRELEASE is received for an active host object or when the DHCP lease for an active host object expires.

Configuring Global SSG Session Timeouts and Idle Timeouts

To configure user global session timeouts and idle timeouts, perform the following steps.


Note To configure timeouts specific to RADIUS proxy subscribers, see the "RADIUS Proxy Timers" and "Configuring Timers for RADIUS Proxy" sections in the "Configuring SSG to Serve as a RADIUS Proxy" module.


SUMMARY STEPS

1. enable

2. configure terminal

3. ssg timeouts

4. idle seconds

5. session seconds

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

ssg timeouts
Example:

Router(config)# ssg timeouts

Enters SSG timeouts configuration mode.

Step 4 

idle seconds

Example:

Router(ssg-timeouts)# idle 60

Sets the global idle timeout.

Step 5 

session seconds

Example:

Router(ssg-timeouts)# session 60

Sets the global session timeout.

Troubleshooting SSG Subscriber Logoff

To troubleshoot SSG subscriber logoff, perform the following steps in any order.

SUMMARY STEPS

1. debug ssg ctrl-errors

2. debug ssg ctrl-events

3. debug ssg ctrl-packets

4. debug ssg data

5. debug ssg dhcp {error | event} [ip-address]

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

debug ssg ctrl-errors

Example:

Router# debug ssg ctrl-errors

Displays all error messages for control modules.

Step 2 

debug ssg ctrl-events

Example:

Router# debug ssg ctrl-events

Displays all event messages for control modules, including autologoff events.

Step 3 

debug ssg ctrl-packets

Example:

Router# debug ssg ctrl-packets

Displays packet contents handled by control modules.

Step 4 

debug ssg data

Example:

Router# debug ssg data

Displays all data-path packets.

Step 5 

debug ssg dhcp {error | event} [ip-address]

Example:

Router# debug ssg dhcp error

Displays control errors and events related to Service Selection Gateway (SSG) Dynamic Host Configuration Protocol (DHCP) awareness.

Configuration Examples for Configuring SSG to Log Off Subscribers

This section provides the following configuration examples:

SSG Autologoff Using ARP Ping: Example

SSG Autologoff Using ICMP Ping: Example

SSG MAC Address Checking for Autologoff: Example

SSG Autologoff Using SSG/DHCP Awareness: Example

SSG Autologoff Using ARP Ping: Example

The following example shows how to enable SSG autologoff. SSG will use ARP ping to detect connectivity to hosts.

ssg auto-logoff arp interval 60

SSG Autologoff Using ICMP Ping: Example

The following example shows how to enable SSG autologoff. SSG will use ICMP ping to detect connectivity to hosts.

ssg auto-logoff icmp interval 60 timeout 300 packets 3

SSG MAC Address Checking for Autologoff: Example

The following example shows how to enable SSG MAC address checking for autologoff:

ssg auto-logoff arp match-mac-address 

The following example shows how to enable SSG MAC address checking for autologoff and to specify an ARP ping interval of 60 seconds:

ssg auto-logoff arp match-mac-address interval 60

SSG Autologoff Using SSG/DHCP Awareness: Example

The following example shows how to enable SSG autologoff using SSG/DHCP awareness:

ssg intercept dhcp

Additional References

The following sections provide references related to disconnecting SSG subscribers and services.

Related Documents

Related Topic
Document Title

Configuring SESM

Cisco Subscriber Edge Services Manager documentation

RADIUS commands: complete command syntax, command mode, command history, defaults, usage guidelines, and examples

Cisco IOS Security Command Reference

RADIUS configuration tasks

"Configuring RADIUS" chapter in the Cisco IOS Security Configuration Guide

SSG commands: complete command syntax, command mode, command history, defaults, usage guidelines, and examples

Cisco IOS Service Selection Gateway Command Reference


RFCs

RFCs
Title

RFC 2865

Remote Authentication Dial In User Service (RADIUS)


Technical Assistance

Description
Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/techsupport


Feature Information for Configuring SSG to Log Off Subscribers

Table 1 lists the features in this module and provides links to specific configuration information. Only features that were introduced or modified in Cisco IOS Release 12.2(15)B or a later release appear in the table.

For information on a feature in this technology that is not documented here, see the Service Selection Gateway Features Roadmap.

Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.


Note Table 1 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.


Table 1 Feature Information for Configuring SSG to Log Off Subscribers 

Feature Name
Releases
Feature Configuration Information

Configuring SSG to Log Off Subscribers

12.2(15)B
12.3(4)T
12.4
15.0(1)M

The SSG Autologoff feature supports methods to log subscribers out of SSG.

The following sections provide information about this feature:

Graceful Logoff

Disconnection Through the Web Services Gateways

SSG Autologoff

SSG Session Timeout and Idle Timeout

Configuring SSG Autologoff

Configuring Global SSG Session Timeouts and Idle Timeouts

Troubleshooting SSG Subscriber Logoff

SSG Autologoff Using ARP Ping: Example

SSG Autologoff Using ICMP Ping: Example

SSG MAC Address Checking for Autologoff: Example

SSG Autologoff Using SSG/DHCP Awareness: Example

The following command was introduced by this feature: ssg auto-logoff arp.

This feature was removed in Cisco IOS Release 15.0(1)M.