Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ACS V3.1 Aironet Session Timeout

Does the new VSA Radius Attribute for Aironet Session Timeout replace the standard IETF Radius Attribute 27 (Session Timeout) that is still mentioned in all the White Paper / Application Notes for Configuring Wireless Security ??

8 REPLIES
Cisco Employee

Re: ACS V3.1 Aironet Session Timeout

No..it will not replace..Let me know the syntex of VSA you are using.

New Member

Re: ACS V3.1 Aironet Session Timeout

I have found a reference in the Vn3.1 User Guide, section 6-39 (page 199) that states that this VSA does replace the IETF Att 27 (for Cisco Aironet devices only of course). It actually says "The single Cisco Aironet RADIUS VSA, Cisco-Aironet-Session-Timeout, is a specialised implementation of the IETF RADIUS Session-Timeout attribute (27)."

Regards.

Can you confirm that the re-issuing of Session Keys controlled by this timeout will still work if the client device has "roamed" and is now associated with a different AP ?? We are using LEAP with a 10-minute timeout, using Aironet 350 devices talking to ACS 3.1 for WIndows.

New Member

Re: ACS V3.1 Aironet Session Timeout

I would be interested in the answer to the above. I am using PEAP on ACS 3.1. The RADIUS session timeout is set to 9 minutes. PEAP is authenticating to an external radius server. Every 9 minutes, the user is requested to re-enter there authentication credentials. I thought PEAP supported session resume?

New Member

Re: ACS V3.1 Aironet Session Timeout

We are using PEAP on ACS 3.1 too. I also have found the same results. We set the Cisco-Aironet-Session timeout to avalue of around 10 minutes or so, and set the PEAP Global Authentication timer to 2 hours. Irrespective of user activity the user is promted to re-authenticate afer two hours. If the user ignores the prompt, they can continue to access the network for a further 2 hours, before being dropped.

I have also found no way of resuming the session without re-authenticating.

New Member

Re: ACS V3.1 Aironet Session Timeout

ABDUL, do you see the session resume every 10 minutes using the Aironet VSA?

I just checked a document from RSA when they tested PEAP and they have the Global PEAP session timeout set to 120 minutes.

Thanks

Graham

New Member

Re: ACS V3.1 Aironet Session Timeout

I have found the following information is a Cisco FAQ.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_qanda_item09186a008010018c.shtml

Q. How does silent session resume work during a PEAP session?

A. PEAP supports silent session resume (upon RADIUS session timeout) when only the first phase of PEAP is executed. In the second phase, the previous authentication state is reused. Hence, users will not be required to re-authenticate until the PEAP session timeout expires. The duration time of the PEAP session timeout is configurable from Cisco Secure ACS graphical user interface (GUI).

--

It appears that the PEAP timeout under Global Authentication is an absolute timeout and not part of the session resume feature within PEAP. From this I deduce that the RADIUS session-timeout is used to cause EAP phase 1 renegotiation.

It sounds like the Global PEAP timeout needs to be set to a maximum value that the client will be connected and the session-timeout is for phase 1, renegotiation (and new wep keys).

1) Is this assumption correct ?

2) Does the global PEAP support a session timeout of 0

3) Why doesn't it work with the standard RADIUS session-timeout (27)

New Member

Re: ACS V3.1 Aironet Session Timeout

I think you are right in your assumptions...

Given the following scenario....

1/ Global Authentication Timer = 300 minutes

2/ Cisco-Aironet-Session-Timeout = 10 minutes.

The user authenticates and has a max. of 300 mins access to the network. During this time, the WEP keys will be re-negotiated every 10 minutes.

If during the 300 minutes the user either roams to another AP or roams out of WLAN coverage for less than 120 minutes (non-configurable), the user can get back onto the network without full one time password (OTP) re-authentication as long as the off-line period does not exceed the 300 mins. global time.

Hope this helps...

New Member

Re: ACS V3.1 Aironet Session Timeout

This is definately the case. It appears to work as the above.

However,I have the following issues when authenticating to the RSA RADIUS server though.

1) When the token is in New Pin or Next token mode. The dialogue to change the PIN or Token is only available for 30 seconds. If the new credentials are not provided within 30 seconds the user must re-authenticate..

This looks like a major timeout issue between the ACE server and EAP-PEAP.

Has anyone had success in using New PIn and NExt Token with 60 second tokens?

If so where do you specify the timeout for New PIN and Next Token support (there doesn't appear to be a configurable option.......)

Thanks

303
Views
0
Helpful
8
Replies
CreatePlease to create content