Does the new VSA Radius Attribute for Aironet Session Timeout replace the standard IETF Radius Attribute 27 (Session Timeout) that is still mentioned in all the White Paper / Application Notes for Configuring Wireless Security ??
I have found a reference in the Vn3.1 User Guide, section 6-39 (page 199) that states that this VSA does replace the IETF Att 27 (for Cisco Aironet devices only of course). It actually says "The single Cisco Aironet RADIUS VSA, Cisco-Aironet-Session-Timeout, is a specialised implementation of the IETF RADIUS Session-Timeout attribute (27)."
Can you confirm that the re-issuing of Session Keys controlled by this timeout will still work if the client device has "roamed" and is now associated with a different AP ?? We are using LEAP with a 10-minute timeout, using Aironet 350 devices talking to ACS 3.1 for WIndows.
I would be interested in the answer to the above. I am using PEAP on ACS 3.1. The RADIUS session timeout is set to 9 minutes. PEAP is authenticating to an external radius server. Every 9 minutes, the user is requested to re-enter there authentication credentials. I thought PEAP supported session resume?
We are using PEAP on ACS 3.1 too. I also have found the same results. We set the Cisco-Aironet-Session timeout to avalue of around 10 minutes or so, and set the PEAP Global Authentication timer to 2 hours. Irrespective of user activity the user is promted to re-authenticate afer two hours. If the user ignores the prompt, they can continue to access the network for a further 2 hours, before being dropped.
I have also found no way of resuming the session without re-authenticating.
Q. How does silent session resume work during a PEAP session?
A. PEAP supports silent session resume (upon RADIUS session timeout) when only the first phase of PEAP is executed. In the second phase, the previous authentication state is reused. Hence, users will not be required to re-authenticate until the PEAP session timeout expires. The duration time of the PEAP session timeout is configurable from Cisco Secure ACS graphical user interface (GUI).
It appears that the PEAP timeout under Global Authentication is an absolute timeout and not part of the session resume feature within PEAP. From this I deduce that the RADIUS session-timeout is used to cause EAP phase 1 renegotiation.
It sounds like the Global PEAP timeout needs to be set to a maximum value that the client will be connected and the session-timeout is for phase 1, renegotiation (and new wep keys).
1) Is this assumption correct ?
2) Does the global PEAP support a session timeout of 0
3) Why doesn't it work with the standard RADIUS session-timeout (27)
The user authenticates and has a max. of 300 mins access to the network. During this time, the WEP keys will be re-negotiated every 10 minutes.
If during the 300 minutes the user either roams to another AP or roams out of WLAN coverage for less than 120 minutes (non-configurable), the user can get back onto the network without full one time password (OTP) re-authentication as long as the off-line period does not exceed the 300 mins. global time.
This is definately the case. It appears to work as the above.
However,I have the following issues when authenticating to the RSA RADIUS server though.
1) When the token is in New Pin or Next token mode. The dialogue to change the PIN or Token is only available for 30 seconds. If the new credentials are not provided within 30 seconds the user must re-authenticate..
This looks like a major timeout issue between the ACE server and EAP-PEAP.
Has anyone had success in using New PIn and NExt Token with 60 second tokens?
If so where do you specify the timeout for New PIN and Next Token support (there doesn't appear to be a configurable option.......)
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :