-
Cisco IOS Service Selection Gateway Configuration Guide, Release 12.4
-
Service Selection Gateway Features Roadmap
-
Overview of SSG
-
Implementing SSG: Initial Tasks
-
Configuring SSG to Serve as a RADIUS Proxy
-
Configuring SSG to Authenticate Web Logon Subscribers
-
Configuring SSG to Authenticate PPP Subscribers
-
Configuring SSG to Authenticate Subscribers with Transparent Autologon
-
Configuring SSG to Authenticate Subscribers Automatically in the Service Domain
-
Configuring SSG for On-Demand IP Address Renewal
-
Configuring SSG Support for Subnet-Based Authentication
-
Configuring SSG for MAC-Address-Based Authentication
-
Configuring SSG for Subscriber Services
-
Configuring SSG Subscriber Experience Features
-
Configuring SSG to Log Off Subscribers
-
Configuring Accounting for SSG
-
RADIUS Profiles and Attributes for SSG
-
Table Of Contents
Configuring SSG to Log Off Subscribers
Prerequisites for Configuring SSG to Log Off Subscribers
Information About Configuring SSG to Log Off Subscribers
Disconnection Through the Web Services Gateways
MAC Address Checking for Autologoff
SSG Autologoff Using ICMP Ping
SSG Autologoff Using SSG/DHCP Awareness
SSG Session Timeout and Idle Timeout
How to Configure SSG to Log Off Subscribers
Configuring Global SSG Session Timeouts and Idle Timeouts
Troubleshooting SSG Subscriber Logoff
Configuration Examples for Configuring SSG to Log Off Subscribers
SSG Autologoff Using ARP Ping: Example
SSG Autologoff Using ICMP Ping: Example
SSG MAC Address Checking for Autologoff: Example
SSG Autologoff Using SSG/DHCP Awareness: Example
Feature Information for Configuring SSG to Log Off Subscribers
Configuring SSG to Log Off Subscribers
First Published: May 2, 2005Last Updated: October 2, 2009
Note
Effective with Cisco IOS Release 15.0(1)M, this feature is not available in Cisco IOS software.
Service Selection Gateway (SSG) supports the following methods of subscriber logoff:
•
•
•
•
This document describes these logoff methods and explains how to configure SSG to implement them.
Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Configuring SSG to Log Off Subscribers" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
•
•
•
•
Prerequisites for Configuring SSG to Log Off Subscribers
Before you can perform the tasks in this module, SSG must be enabled.
The tasks in this document assume that you know how to configure Address Resolution Protocol (ARP) and Internet Control Message Protocol (ICMP).
Information About Configuring SSG to Log Off Subscribers
To configure SSG to log off subscribers, you should understand the following concepts:
•
•
Graceful Logoff
Graceful logoff occurs when the subscriber decides to end a session and clicks the Log Off button. This is the typical method of ending a session, and SSG supports it by default; you do not have to configure SSG to support graceful logoff.
Disconnection Through the Web Services Gateways
A third-party management tool can use a Web Services Gateway (WSG), which is part of Cisco's Subscriber Edge Services Manager (SESM) system, to send logoff messages to SSG. For information about configuring SESM to support disconnection through WSGs, refer to the Cisco Subscriber Edge Services Manager documentation. You do not have to configure SSG to support disconnection through WSGs.
SSG Autologoff
When SSG automatic logoff (autologoff) is configured, SSG checks the status of the connection with each host at configured intervals. If SSG finds that a host is not reachable, SSG automatically initiates the logoff of that host. SSG has two methods of checking the connectivity of hosts: ARP ping and ICMP ping. The following sections provide more information about SSG Autologoff:
•
•
•
•
SSG Autologoff Using ARP Ping
ARP is an Internet protocol used to map IP addresses to MAC addresses. For directly connected devices, the router broadcasts ARP requests that contain IP address information. When an IP address is successfully associated with a MAC address, the router stores the information in the ARP cache.
When SSG autologoff is configured to use ARP ping, SSG periodically refreshes the ARP entry. If the ARP entry is not found, SSG initiates autologoff for the host.
If any data traffic is flowing to or from the host during the interval, SSG does not ping the host.
Note
ARP request packets are smaller than ICMP ping packets, so Cisco recommends that you configure SSG autologoff to use ARP ping in deployments where hosts are directly connected.
MAC Address Checking for Autologoff
You can configure SSG to check the MAC address of a host each time that SSG performs an ARP ping. If SSG finds that the MAC address of the host has changed, SSG automatically initiates the logoff of that host.
SSG Autologoff Using ICMP Ping
The ICMP is a network-layer Internet protocol that reports errors and provides other information relevant to IP packet processing. An ICMP ping is the echo message and echo-reply message used to check for connectivity between devices.
When SSG autologoff is configured to use the ICMP ping mechanism, SSG pings the host to check connectivity until an ICMP response (successful ping) is obtained or the allowable number of tries is used up. If all the tries are used up and the ping was unsuccessful, SSG initiates logoff for that host. Pinging occurs once every configured interval.
As with ARP ping, if any data traffic to or from the host is found during the interval, SSG will not ping the host because reachability was established by the data traffic.
ICMP ping works in all types of deployments and supports overlapping IP users.
SSG Autologoff Using SSG/DHCP Awareness
When a subscriber's router acts either as an IOS DHCP server or an IOS DHCP relay agent and the subscriber is a DHCP client, then configuring SSG/DHCP Awareness will remove the SSG host object. When an active host object receives a DHCPRELEASE or when the DHCP lease for an active host object expires, the SSG host object is removed.
For more information on SSG Autologoff Using SSG/DHCP Awareness, see the Configuring SSG On-Demand IP Address Renewal and SSG/DHCP Awareness module.
Benefits of SSG Autologoff
The SSG Autologoff feature enables service providers that use SSG to offer subscribers per-minute billing plans for services. SSG autologoff also prevents subscribers from being charged for periods of time in which they were not active.
SSG MAC address checking enables service providers that use SSG to prevent a malicious host from spoofing the IP address of a logged-on host and accessing the logged-on host's services. The MAC address-checking functionality allows service providers to prevent SSG host session reuse when a Dynamic Host Configuration Protocol (DHCP) server assigns the same IP address to a second host because the first host released its IP address (through either a lease-time expiration or an explicit DHCP release), but did not log off from SSG.
SSG Session Timeout and Idle Timeout
In a dialup networking or bridged (non-PPP) network environment, a user can disconnect from the network access server (NAS) and release the IP address without logging out from SSG. Potentially, the NAS could assign the same IP address to another user. In this kind of instance, SSG continues to allow traffic to pass from that IP address. SSG provides two mechanisms to prevent this problem from occurring:
Session-Timeout—An attribute that specifies the maximum length of time for which a host or connection can remain continuously active.
Idle-Timeout—An attribute that specifies the maximum length of time for which a session or connection can remain idle before it is disconnected.
User Session-Timeout and Idle-Timeout can be present in the user-profile RADIUS attributes and can be configured globally. When present, these attributes are applied to each user session and supersede the global configuration.
Service Session-Timeout and Idle-Timeout are configured in the service profile and apply individually to each service connection.
The Idle-Timeout and Session-Timeout attributes in the profile are standard RADIUS attributes as described in RFC 2865.
How to Configure SSG to Log Off Subscribers
This section contains the following tasks:
•
•
Configuring SSG Autologoff
Perform this task to configure SSG to automatically log off hosts that have lost connectivity with SSG.
Restrictions
The following restrictions apply to the SSG Autologoff feature:
•
•
•
•
•
•
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Configuring Global SSG Session Timeouts and Idle Timeouts
To configure user global session timeouts and idle timeouts, perform the following steps.
Note
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Troubleshooting SSG Subscriber Logoff
To troubleshoot SSG subscriber logoff, perform the following steps in any order.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Configuration Examples for Configuring SSG to Log Off Subscribers
This section provides the following configuration examples:
•
•
•
•
SSG Autologoff Using ARP Ping: Example
The following example shows how to enable SSG autologoff. SSG will use ARP ping to detect connectivity to hosts.
ssg auto-logoff arp interval 60SSG Autologoff Using ICMP Ping: Example
The following example shows how to enable SSG autologoff. SSG will use ICMP ping to detect connectivity to hosts.
ssg auto-logoff icmp interval 60 timeout 300 packets 3SSG MAC Address Checking for Autologoff: Example
The following example shows how to enable SSG MAC address checking for autologoff:
ssg auto-logoff arp match-mac-addressThe following example shows how to enable SSG MAC address checking for autologoff and to specify an ARP ping interval of 60 seconds:
ssg auto-logoff arp match-mac-address interval 60SSG Autologoff Using SSG/DHCP Awareness: Example
The following example shows how to enable SSG autologoff using SSG/DHCP awareness:
ssg intercept dhcpAdditional References
The following sections provide references related to disconnecting SSG subscribers and services.
Related Documents
Configuring SESM
Cisco Subscriber Edge Services Manager documentation
RADIUS commands: complete command syntax, command mode, command history, defaults, usage guidelines, and examples
RADIUS configuration tasks
"Configuring RADIUS" chapter in the Cisco IOS Security Configuration Guide
SSG commands: complete command syntax, command mode, command history, defaults, usage guidelines, and examples
RFCs
Technical Assistance
Feature Information for Configuring SSG to Log Off Subscribers
Table 1 lists the features in this module and provides links to specific configuration information. Only features that were introduced or modified in Cisco IOS Release 12.2(15)B or a later release appear in the table.
For information on a feature in this technology that is not documented here, see the Service Selection Gateway Features Roadmap.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note
Table 1 Feature Information for Configuring SSG to Log Off Subscribers
Configuring SSG to Log Off Subscribers
12.2(15)B
12.3(4)T
12.4
15.0(1)MThe SSG Autologoff feature supports methods to log subscribers out of SSG.
The following sections provide information about this feature:
•
•
•
•
•
•
•
•
The following command was introduced by this feature: ssg auto-logoff arp.
This feature was removed in Cisco IOS Release 15.0(1)M.
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Pulse, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, and Flip Gift Card are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Fast Step, Follow Me Browsing, FormShare, GainMaker, GigaDrive, HomeLink, iLYNX, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0908R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2005-2009 Cisco Systems, Inc. All rights reserved.
