Downloads |
Table Of Contents
Prerequisites for SSG Transparent Autologon
Restrictions for SSG Transparent Autologon
Information About SSG Transparent Autologon
SSG Transparent Autologon User-to-Service Packet Flow
States of SSG Transparent Autologon Users
Transparent Pass-Through User (TP)
User Waiting for Authorization (WA)
Switching Between Pay-per-Use and Flat-Rate Use
Benefits of SSG Transparent Autologon
How to Configure SSG Transparent Autologon
Configuring SSG Transparent Autologon
Monitoring and Maintaining SSG Transparent Autologon
Configuration Examples for SSG Transparent Autologon
SSG Transparent Autologon Configuration with AAA and RADIUS: Example
AAA User Profile Configuration for Transparent Pass-Through (Flat-Rate) Users: Example
AAA User Profile Configuration for Users with Host Objects (Pay-per-Use): Example
clear ssg user transparent all
clear ssg user transparent passthrough
clear ssg user transparent suspect
packet drop during-authorization
show ssg user transparent authorizing
show ssg user transparent passthrough
show ssg user transparent suspect
show ssg user transparent unidentified
user unidentified traffic permit
SSG Transparent Autologon
The SSG Transparent Autologon feature enables Service Selection Gateway (SSG) to authenticate and authorize a user on the basis of the source IP address of packets received from the user. Depending on how the feature is deployed, SSG will allow the coexistence of the SSG Transparent Autologon feature with other login methods such as Subscriber Edge Services Manager (SESM), RADIUS proxy, and PPP session termination.
Feature History for the SSG Transparent Autologon Feature
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
Prerequisites for SSG Transparent Autologon
•
•
•
•
Prerequisites for SSG Transparent Autologon
SSG authorizes an SSG transparent autologon user by using the IP address of the user in dotted notation as a string. The authentication, authorization, and accounting (AAA) user profile must be configured with the IP addresses in dotted decimal notation as the username. Additionally, the user profiles must all be configured with the same password.
Restrictions for SSG Transparent Autologon
Hosts with overlapping IP addresses are not supported.
Idle timeouts and session timeouts are the only features that can be applied to transparent pass-through users. Other features, such as quality of service and accounting, can be applied to users that have host objects only.
Information About SSG Transparent Autologon
Before you configure this feature, you should understand the following concepts:
•
•
•
•
SSG Transparent Autologon User-to-Service Packet Flow
The SSG Transparent Autologon feature enables SSG to authenticate and authorize users on the basis of the source IP address of packets received on an SSG downlink interface, without any previous authentication phase. SSG authorizes users by using information from the AAA server when the first IP packet is received from the user.
An SSG transparent autologon user will be in one of the following states.
•
•
•
•
•
Information about these states is provided in the user-to-service packet flow description that follows and in the "States of SSG Transparent Autologon Users" section.
Figure 1 is a diagram of the user-to-service packet flow when SSG transparent autologon is enabled. The process is illustrated in the following steps:
1.
2.
3.
Access Accept—If the user profile received as part of the Access Accept has a Transparent User (TP) attribute, the user is added to the list of valid users as a transparent pass-through user (TP), and the user state is changed from WA to TP. If there is no TP attribute in the user profile, a full host object is created.
Access Reject—The user is marked as a suspect user (SP), and the user state is changed from WA to SP.
Unidentified User—If there is no response (NR) to the access request from the AAA server, the user is marked as unidentified (NR).
4.
If the AAA server responds with an Access Accept, traffic will be handled as follows:
–
–
If the AAA server responds with an Access Reject, traffic will be handled as follows:
–
If there is no response from the AAA server, traffic will be handled as follows:
–
5.
Waiting for authorization (WA) user—User traffic will be allowed on the basis of the CLI configuration. The user will be in the WA state until SSG receives a response from the AAA server or the AAA request times out.
Figure 1 User-to-Service Packet Flow
States of SSG Transparent Autologon Users
The following sections describe the SSG transparent autologon user states:
•
•
User with Host Object
Using SSG transparent autologon, the host object user can be logged on in one of three ways:
1.
2.
3.
Note
Transparent Pass-Through User (TP)
If the response to the AAA authorization results in an Access Accept, the user is treated as either a host object or a transparent pass-through user. A transparent pass-through user (TP) is a user who has the TP attribute configured in his user profile. SSG does not create host objects for TP users; instead the user is added to the TP user cache.
For TP users, SSG honors only idle timeout and session timeout attributes. If other attributes are present, they are ignored.
The TP user model is useful for flat-rate users, where no accounting or differentiated services are required. Accounting records are not sent for the transparent pass-through users, even if accounting is enabled on the device.
For flat-rate users, data is forwarded to the service network on the basis of global Cisco IOS routing.
Note
Idle timeouts and session timeouts can be configured in the user profiles for transparent pass-through users or globally though the CLI. The idle timeout and session timeout values configured in the user profile take precedence over the values configured globally.
User Waiting for Authorization (WA)
While SSG is waiting for the AAA server's response to the request for authorization, the user is treated as waiting for authorization (WA). If a user is marked as WA, packets received from the user are dropped or forwarded, depending on the CLI configuration. By default, packets are forwarded.
The number of WA users increases if the AAA server response is very slow or the rate of authorization is high.
If the number of access requests waiting for authorization exceeds a configured value, any packet that causes SSG to send an authorization request is dropped in the CEF path. This packet drop reduces the number of packets in the process path that will trigger user authorization.
To protect the AAA server from processing too many requests per second, SSG can be configured to throttle the number of access requests per second. If the maximum is reached, a syslog message is generated.
Suspect User (SP)
If the response to the AAA server authorization request causes an Access Reject, the user is marked as a suspect user (SP). Packets received from an SP user are dropped or TCP-redirected. The user remains marked as SP for one hour (by default) or for a length of time configured in the CLI.
Too many SP users can cause SSG to consume all its memory maintaining the SP cache. To counter this, SSG provides a CLI command to configure the maximum number of SP users maintained by SSG. If the SP user count exceeds this maximum value, a syslog message is generated, and SSG does not add new SP users to the SP user cache.
Unidentified User (NR)
If there is no response from the AAA server for an authorization request and the authorization request times out, the user is changed from WA to no response (NR). SSG logs a syslog message when there is no response from the AAA server.
Packets received from NR users are dropped, TCP-redirected, or forwarded using Cisco IOS routing, depending on the CLI configuration. By default, packets received from NR users are dropped or TCP-redirected.
Switching Between Pay-per-Use and Flat-Rate Use
Transition from Flat-Rate User to Pay-per-Use User
A flat-rate/TP user can log on through SESM or some external device. SSG creates the host object for this user and removes the entry from the TP user list.
Transition from Pay-per-Use User to Flat-Rate User
An external device sends an account logoff request to SSG. After account logoff, SSG will log the user as a transparent pass-through user when SSG receives the next IP packet from this user.
Benefits of SSG Transparent Autologon
With the SSG Transparent Autologon feature, SSG provides the following functionality:
•
•
How to Configure SSG Transparent Autologon
This section contains the following procedures:
•
•
Configuring SSG Transparent Autologon
Perform this task to configure SSG transparent autologon.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
DETAILED STEPS
Monitoring and Maintaining SSG Transparent Autologon
Perform this task to monitor and maintain SSG transparent autologon. Step 1 is required. Steps 2 through 11 are optional and need not be performed in any particular order.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
DETAILED STEPS
Configuration Examples for SSG Transparent Autologon
This section provides the following configuration examples:
•
•
•
SSG Transparent Autologon Configuration with AAA and RADIUS: Example
The following example shows the configuration of SSG transparent autologon.
!aaa new-model!!aaa group server radius TEST1server 23.0.0.100 auth-port 1646 acct-port 1646!aaa authentication ppp default group TEST1aaa authorization network default group radius!ip cef!ssg enablessg accounting interval 1800ssg accounting stop rate-limit 100ssg default-network 23.0.0.0 255.0.0.0ssg service-password ciscossg radius-helper auth-port 1812 acct-port 1813ssg radius-helper key ciscossg maxservice 20ssg service-cache refresh-interval 10ssg bind service SURF 22.0.0.1ssg bind service CORP 22.0.0.1ssg bind service pass-through 24.0.0.1ssg bind service pass-through1 22.0.0.1ssg bind service SURF101 22.0.0.1!ssg radius-proxyserver-port auth 1812 acct 1813client-address 21.0.0.1key cisco!forward accounting-start-stop!ssg tcp-redirectserver-group group-nameserver 1.1.1.1 100!redirect access-list 101 to group-name!! The following commands configure SSG transparent autologon.ssg login transparentauthorization list TEST1authorization pending maximum 1200authorization rate-limit 100user suspect timeout 600user suspect maximum 1000user unidentified timeout 600user unidentified traffic permitpacket drop during-authorization!!ssg service-search-order remote local!!interface FastEthernet2/0ip address 21.0.0.2 255.0.0.0duplex fullssg direction downlink!interface FastEthernet3/0ip address 24.0.0.2 255.0.0.0duplex autospeed autossg direction uplink!interface FastEthernet4/0ip address 22.0.0.2 255.0.0.0duplex fullssg direction uplink!!radius-server host 23.0.0.1 auth-port 1812 acct-port 1813 key cisco!AAA User Profile Configuration for Transparent Pass-Through (Flat-Rate) Users: Example
The following example shows the configuration of the AAA user profile for a transparent pass-through user. Note that the username is the user's IP address.
10.0.0.1 Password = "servicecisco"Cisco-SSG-Account-Info = "TP",Idle-Timeout = 600Session-Timeout = 3600AAA User Profile Configuration for Users with Host Objects (Pay-per-Use): Example
The following example shows the configuration of the AAA user profile for a user with a host object (pay-per-use user). Note that the username is the user's IP address.
10.0.0.1 Password = "servicecisco"Cisco-SSG-Account-Info = "Ainternet-Service",Idle-Timeout = 600Session-Timeout = 3600Additional References
The following sections provide references related to the SSG Transparent Autologon feature.
Related Documents
SSG commands
Cisco IOS Wide-Area Networking Command Reference, Release 12.3 T
SSG configuration tasks
Service Selection Gateway, Release 12.3(4)T new-feature document
SSG TCP Redirect for Services, Release 12.2(13)T new-feature document
SESM
Cisco Subscriber Edge Services Manager
RADIUS commands
Cisco IOS Security Command Reference, Release 12.3 T
RADIUS configuration tasks
Standards
MIBs
RFCs
Technical Assistance
Command Reference
This section documents the following new commands:
•
•
•
•
•
•
•
•
•
•
•
authorization list
To specify the server group that Service Selection Gateway (SSG) uses for authorization of transparent autologon users, use the authorization list command in transparent auto-logon configuration mode. To remove the server group specification, use the no form of this command.
authorization list list-name
no authorization list list-name
Syntax Description
list-name
Name of the server group that will be used for authorization of transparent autologon users.
Defaults
If no server group is specified, or if the server group configuration is removed with the no form of the command, SSG uses the default server group for user authorization.
Command Modes
Transparent auto-logon configuration
Command History
Usage Guidelines
The server group must be configured using authentication, authorization, and accounting (AAA) commands.
Examples
The following example configures SSG to use the server group named "alpha" for authorization of transparent autologon users:
Router(config-login-transparent)# authorization list alphaRelated Commands
authorization pending maximum
To specify the maximum number of Service Selection Gateway (SSG) transparent autologon access requests that can be pending at a given time, use the authorization pending maximum command in transparent auto-logon configuration mode. To remove the specification, use the no form of this command.
authorization pending maximum number
no authorization pending maximum number
Syntax Description
Defaults
No maximum limit
Command Modes
Transparent auto-logon configuration
Command History
Usage Guidelines
When the number of SSG transparent autologon access requests reaches the configured maximum, SSG issues a syslog message. Any received packets that cause SSG to send a new RADIUS request are dropped at the Cisco Express Forwarding (CEF) path.
Examples
The following example specifies that the maximum number of access requests that can be pending is 10:
Router(config-login-transparent)# authorization pending maximum 10Related Commands
authorization rate-limit
To specify the maximum number of Service Selection Gateway (SSG) transparent autologon authorization requests sent per second to the authentication, authorization, and accounting (AAA) server, use the authorization rate-limit command in transparent auto-logon configuration mode. To remove the specification, use the no form of this command.
authorization rate-limit number
no authorization rate-limit number
Syntax Description
Defaults
No rate limit
Command Modes
Transparent auto-logon configuration
Command History
Usage Guidelines
This command must be configured on the basis of the number of requests that the AAA server can handle per second. When the number of authorization requests per second reaches the configured rate limit, SSG issues a syslog message. A syslog message is generated only once for each time the rate-limit value is reached.
Examples
The following example specifies that the maximum number of authorization requests is 10:
Router(config-login-transparent)# authorization rate-limit 10Related Commands
clear ssg user transparent all
To delete all Service Selection Gateway (SSG) transparent autologon transparent pass-through (TP), suspect (SP), unidentified (NR), and authorizing (WA) users, use the clear ssg user transparent all command in privileged EXEC mode.
clear ssg user transparent all
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use this command to clear all SSG transparent autologon users, including pass-through (TP), suspect (SP), unidentified (NR), and authorizing (WA) users.
Examples
The following example deletes all TP, SP, NR, and WA users:
Router# clear ssg user transparent allRelated Commands
clear ssg user transparent passthrough
To delete Service Selection Gateway (SSG) transparent autologon transparent pass-through (TP) users, use the clear ssg user transparent passthrough command in privileged EXEC mode.
clear ssg user transparent passthrough {all | ip-address}
Syntax Description
all
Deletes all pass-through user entries.
ip-address
Deletes the entry for the specified IP address.
Command Modes
Privileged EXEC
Command History
Examples
The following example deletes all pass-through user entries:
Router# clear ssg user transparent passthrough allRelated Commands
clear ssg user transparent suspect
To delete Service Selection Gateway (SSG) transparent autologon suspect (SP) user entries, use the clear ssg user transparent suspect command in privileged EXEC mode.
clear ssg user transparent suspect {all | ip-address}
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
An SSG transparent autologon suspect (SP) user is a user whose authentication, authorization, and accounting (AAA) authorization resulted in an Access Reject.
Examples
The following example deletes all suspect user entries:
Router# clear ssg user transparent suspectRelated Commands
debug ssg transparent login
To display all the Service Selection Gateway (SSG) transparent login control events or errors, use the debug ssg transparent login command in privileged EXEC mode. To disable debugging, use the no form of this command.
debug ssg transparent login {errors | events} [ip-address]
no debug ssg transparent login {errors | events} [ip-address]
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use this command when troubleshooting SSG for problems related to transparent autologon users.
Examples
The examples in this section show sample output for the debug ssg transparent login command. The output is self-explanatory.
Unidentified (NR) User Example
*Jan 15 12:34:47.847:SSG-TAL-EVN:100.0.0.2 :Added entry successfully*Jan 15 12:34:47.847:SSG-TAL-EVN:100.0.0.2 :Attempting authorization*Jan 15 12:34:47.847:SSG-TAL-EVN:100.0.0.2 :Attempting to send authorization request*Jan 15 12:35:09.711:SSG-TAL-EVN:100.0.0.2 :Authorization response received*Jan 15 12:35:09.711:SSG-TAL-EVN:100.0.0.2 :Authorization timedout. User statechanged to unidentified*Jan 15 12:35:09.711:%SSG-5-SSG_TAL_NR:SSG TAL :No response from AAA server. AAA server might be down or overloaded.*Jan 15 12:35:09.711:SSG-TAL-EVN:100.0.0.2 :Start SP/NR entry timeout timer for 10 minsTransparent Pass-Through (TP) User Example
*Jan 15 12:40:39.875:SSG-TAL-EVN:100.0.0.2 :Added entry successfully*Jan 15 12:40:39.875:SSG-TAL-EVN:100.0.0.2 :Attempting authorization*Jan 15 12:40:39.875:SSG-TAL-EVN:100.0.0.2 :Attempting to send authorization request*Jan 15 12:40:39.879:SSG-TAL-EVN:100.0.0.2 :Authorization response received*Jan 15 12:40:39.879:SSG-TAL-EVN:100.0.0.2 :Parsing profile for TP attribute*Jan 15 12:40:39.879:SSG-TAL-EVN:100.0.0.2 :TP attribute found - Transparent user*Jan 15 12:40:39.879:SSG-TAL-EVN:100.0.0.2 :Stop SP/NR timer*Jan 15 12:40:39.879:SSG-TAL-EVN:100.0.0.2 :Idle timer started for 0 secs*Jan 15 12:40:39.879:SSG-TAL-EVN:100.0.0.2 :Session timer started for 0 secsSuspect User (SP) Example
*Jan 15 12:43:25.363:SSG-TAL-EVN:10.10.10.10 :Added entry successfully*Jan 15 12:43:25.363:SSG-TAL-EVN:10.10.10.10 :Attempting authorization*Jan 15 12:43:25.363:SSG-TAL-EVN:10.10.10.10 :Attempting to send authorization request*Jan 15 12:43:25.939:SSG-TAL-EVN:10.10.10.10 :Authorization response received*Jan 15 12:43:25.939:SSG-TAL-EVN:10.10.10.10 :Access reject from AAA server. Userstate changed to suspect*Jan 15 12:43:25.939:SSG-TAL-EVN:10.10.10.10 :Start SP/NR entry timeout timer for 60 minsClear All Users Example
The following is sample output for the debug ssg transparent login command when used after all transparent autologon users have been cleared by using the clear ssg user transparent all command.
*Jan 15 12:47:08.943:SSG-TAL-EVN:10.10.10.10 :Entry removed*Jan 15 12:47:08.943:SSG-TAL-EVN:10.10.10.10 :Stop SP/NR timer*Jan 15 12:47:08.943:SSG-TAL-EVN:10.10.10.10 :Stop Idle timer*Jan 15 12:47:08.943:SSG-TAL-EVN:10.10.10.10 :Stop session timer*Jan 15 12:47:08.943:SSG-TAL-EVN:10.11.11.11 :Entry removed*Jan 15 12:47:08.943:SSG-TAL-EVN:10.11.11.11 :Stop SP/NR timer*Jan 15 12:47:08.943:SSG-TAL-EVN:10.11.11.11 :Stop Idle timer*Jan 15 12:47:08.943:SSG-TAL-EVN:10.11.11.11 :Stop session timer*Jan 15 12:47:08.943:SSG-TAL-EVN:10.0.0.2 :Entry removed*Jan 15 12:47:08.943:SSG-TAL-EVN:10.0.0.2 :Stop SP/NR timer*Jan 15 12:47:08.943:SSG-TAL-EVN:10.0.0.2 :Stop Idle timer*Jan 15 12:47:08.943:SSG-TAL-EVN:10.0.0.2 :Stop session timerRelated Commands
packet drop during-authorization
To specify that packets received from the user during authorization will be dropped, use the packet drop during-authorization command in transparent auto-logon configuration mode. To remove the configuration, use the no form of this command.
packet drop during-authorization
no packet drop during-authorization
Syntax Description
This command has no arguments or keywords.
Defaults
Packet drop during authorization is disabled, and packets from the authorizing user are forwarded.
Command Modes
Transparent auto-logon configuration
Command History
Usage Guidelines
Use this command for configuring data traffic packet drop for users that are waiting for authorization (WA).
Examples
The following example specifies that packets received from the user during authorization will be dropped:
Router(config-login-transparent)# packet drop during-authorizationRelated Commands
show ssg user transparent
To display a list of all the Service Selection Gateway (SSG) transparent autologon users, use the show ssg user transparent command in privileged EXEC mode.
show ssg user transparent
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use this command to display the IP addresses and the states of all transparent autologon users that are active on SSG. The transparent autologon user states are passthrough (TP), suspect (SP), unidentified (NR), and waiting for authorization (WA).
Examples
The following is sample output from the show ssg user transparent command:
Router# show ssg user transparent10.10.10.10 Passthrough11.11.11.11 Suspect120.120.120.120 Authorizing### Total number of transparent users: 3Related Commands
show ssg user transparent authorizing
To display a list of all Service Selection Gateway (SSG) transparent autologon users for whom authorization is in progress and who are waiting for authentication, authorization, and accounting (AAA) server response, use the show ssg user transparent authorizing command in privileged EXEC mode.
show ssg user transparent authorizing [count]
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use this command to display all Service Selection Gateway (SSG) transparent autologon users that are waiting for authorization (WA).
Examples
The following is sample output from the show ssg user transparent authorizing command with the count keyword:
Router# show ssg user transparent authorizing count### Total number of WA users : 1Related Commands
show ssg user transparent passthrough
To display information about Service Selection Gateway (SSG) transparent autologon pass-through users, use the show ssg user transparent passthrough command in privileged EXEC mode.
show ssg user transparent passthrough [ip-address | count]
Syntax Description
ip-address
(Optional) Display details for specified user IP address.
count
(Optional) Displays the number of pass-through users.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use this command to display all SSG transparent autologon pass-through (TP) users that are active on SSG.
Examples
The following is sample output from the show ssg user transparent passthrough command for the user having IP address 10.10.10.10:
Router# show ssg user transparent passthrough 10.10.10.10User IP Address : 10.10.10.10Session Timeout : 200 (seconds)Idle Timeout : 100 (seconds)User logged on since : *16:33:57.000 GMT Mon May 19 2003User last activity at : *16:33:57.000 GMT Mon May 19 2003Current Time : *16:35:17.000 GMT Mon May 19 2003Related Commands
show ssg user transparent suspect
To display a list of all Service Selection Gateway (SSG) transparent autologon suspect (SP) user IP addresses, use the show ssg user transparent suspect command in privileged EXEC mode.
show ssg user transparent suspect [count]
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
An SSG transparent autologon suspect user is a user whose authentication, authorization, and accounting (AAA) authorization resulted in an Access Reject.
Examples
The following is sample output from the show ssg user transparent suspect command with and without the count keyword:
Router# show ssg user transparent suspect count### Total number of SP users : 1Router# show ssg user transparent suspect94.0.0.1### Total number of SP users : 1Router#Related Commands
show ssg user transparent unidentified
To display a list of Service Selection Gateway (SSG) transparent autologon users for whom there is no response from the authentication, authorization, and accounting (AAA) server to an authorization request (unidentified users), use the show ssg user transparent unidentified command in privileged EXEC mode.
show ssg user transparent unidentified [count]
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use this command to display all SSG transparent autologon unidentified (NR) users that are active on the SSG.
Examples
The following is sample output from the show ssg user transparent unidentified command with and without the count keyword:
Router# show ssg user transparent unidentified count### Total number of NR (Unidentified) users : 1Router# show ssg user transparent unidentified93.0.0.1### Total number of NR (Unidentified) users : 1Router#Related Commands
ssg login transparent
To enable the SSG Transparent Autologon feature and enable transparent auto-logon configuration mode, use the ssg login transparent command in global configuration mode. To disable the Transparent Autologon feature, remove all the commands that were configured under transparent auto-logon mode, log off all the transparent autologon users, and refuse new logons, use the no form of this command.
ssg login transparent
no ssg login transparent
Syntax Description
This command has no arguments or keywords.
Defaults
The SSG Transparent Autologon feature is disabled by default.
Command Modes
Global configuration
Command History
Examples
The following example enables the SSG Transparent Autologon feature:
Router(config)# ssg login transparentRelated Commands
show ssg user transparent
Displays a list of all the SSG transparent autologon users.
user suspect maximum
To specify the maximum number of Service Selection Gateway (SSG) transparent autologon suspect (SP) users that can be added to the suspect user list, use the user suspect maximum command in transparent auto-logon configuration mode. To remove the specification, use the no form of this command.
user suspect maximum value
no user suspect maximum value
Syntax Description
value
Maximum number of suspect users that can be added to the SP list. Valid range is from 10 to 5000. The default is 5000.
Defaults
The default maximum number of suspect users that can be added to the suspect user list is 5000.
Command Modes
Transparent auto-logon configuration
Command History
Usage Guidelines
An SSG transparent autologon suspect user is a user whose authentication, authorization, and accounting (AAA) authorization resulted in an access reject.
If the number of suspect users exceeds the maximum value configured, SSG sends a syslog message and does not add any further users to the SP list.
Examples
The following example specifies that the maximum number of suspect users that can be added to the SP list is 200:
Router(config-login-transparent)# user suspect maximum 200Related Commands
user suspect timeout
To specify the maximum length of time for which a Service Selection Gateway (SSG) transparent autologon suspect (SP) user remains in the suspect user list, use the user suspect timeout command in transparent auto-logon configuration mode. To return to the default length of time, use the no form of this command.
user suspect timeout timeout
no user suspect timeout timeout
Syntax Description
timeout
Maximum length of time (in minutes) that a suspect user remains in the suspect user list. Range is from 1 to 34560. Default is 60 minutes.
Defaults
60 minutes
Command Modes
Transparent auto-logon configuration
Command History
Usage Guidelines
If a packet is received for a user who is marked as an SP user, packets to or from this user are dropped or TCP-redirected until the timeout value is reached. When the timeout value is reached, any new traffic received by SSG from the user triggers the transparent logon procedure.
Examples
The following example specifies that a suspect user will remain in the suspect user list for 30 minutes:
Router(config-login-transparent)# user suspect timeout 30Related Commands
user unidentified timeout
To specify the maximum length of time for which a Service Selection Gateway (SSG) transparent autologon unidentified user remains marked as no response (NR), use the user unidentified timeout command in transparent auto-logon configuration mode. To return to the default timeout value (10 minutes), use the no form of this command.
user unidentified timeout timeout
no user unidentified timeout timeout
Syntax Description
Defaults
10 minutes
Command Modes
Transparent auto-logon
Command History
Usage Guidelines
An unidentified user is marked NR if there is no response from the authentication, authorization, and accounting (AAA) server to an authorization request and the authorization request times out.
If a packet is received for a user who is marked as an NR user, packets to or from this user are dropped or TCP-redirected until the timeout value is reached. When the timeout value is reached, any new traffic received by SSG from the user triggers the transparent logon procedure.
Examples
The following example sets the user unidentified timeout to 5 minutes:
Router(config-login-transparent)# user unidentified timeout 5Related Commands
user unidentified traffic permit
To specify that packets received from a Service Selection Gateway (SSG) transparent autologon user whose authorization request has timed out will be forwarded or received, use the user unidentified traffic permit command in transparent auto-logon configuration mode. To return to the default (packets dropped if user authorization has timed out), use the no form of this command.
user unidentified traffic permit
no user unidentified traffic permit
Syntax Description
This command has no arguments or keywords.
Defaults
Packets received from a user whose authorization request has timed out are dropped.
Command Modes
Transparent auto-logon configuration
Command History
Usage Guidelines
Configuring this command allows traffic flow for NR users toward the service network.
Examples
The following example specifies that packets received from a user whose authorization request has timed out will be forwarded or received:
Router(config-login-transparent)# user unidentified traffic permitRelated Commands
Copyright © 2003-2004 Cisco Systems, Inc. All rights reserved.
