Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2296
Views
0
Helpful
8
Replies

ACS V3.1 Aironet Session Timeout

rapepe
Level 1
Level 1

‎12-06-2002 01:42 AM - edited ‎03-10-2019 07:04 AM

Does the new VSA Radius Attribute for Aironet Session Timeout replace the standard IETF Radius Attribute 27 (Session Timeout) that is still mentioned in all the White Paper / Application Notes for Configuring Wireless Security ??

Labels:
0 Helpful
8 Replies 8

tepatel
Cisco Employee
Cisco Employee

‎12-10-2002 09:42 AM

No..it will not replace..Let me know the syntex of VSA you are using.

0 Helpful

rapepe
Level 1
Level 1
In response to tepatel

‎12-11-2002 03:55 AM

I have found a reference in the Vn3.1 User Guide, section 6-39 (page 199) that states that this VSA does replace the IETF Att 27 (for Cisco Aironet devices only of course). It actually says "The single Cisco Aironet RADIUS VSA, Cisco-Aironet-Session-Timeout, is a specialised implementation of the IETF RADIUS Session-Timeout attribute (27)."

Regards.

Can you confirm that the re-issuing of Session Keys controlled by this timeout will still work if the client device has "roamed" and is now associated with a different AP ?? We are using LEAP with a 10-minute timeout, using Aironet 350 devices talking to ACS 3.1 for WIndows.

0 Helpful

grshaw
Level 1
Level 1
In response to rapepe

‎01-30-2003 04:27 AM

I would be interested in the answer to the above. I am using PEAP on ACS 3.1. The RADIUS session timeout is set to 9 minutes. PEAP is authenticating to an external radius server. Every 9 minutes, the user is requested to re-enter there authentication credentials. I thought PEAP supported session resume?

0 Helpful

a.mayat
Level 1
Level 1
In response to grshaw

‎01-30-2003 05:36 AM

We are using PEAP on ACS 3.1 too. I also have found the same results. We set the Cisco-Aironet-Session timeout to avalue of around 10 minutes or so, and set the PEAP Global Authentication timer to 2 hours. Irrespective of user activity the user is promted to re-authenticate afer two hours. If the user ignores the prompt, they can continue to access the network for a further 2 hours, before being dropped.

I have also found no way of resuming the session without re-authenticating.

0 Helpful

grshaw
Level 1
Level 1
In response to a.mayat

‎01-31-2003 04:05 AM

ABDUL, do you see the session resume every 10 minutes using the Aironet VSA?

I just checked a document from RSA when they tested PEAP and they have the Global PEAP session timeout set to 120 minutes.

Thanks

Graham

0 Helpful

grshaw
Level 1
Level 1
In response to grshaw

‎01-31-2003 04:43 AM

I have found the following information is a Cisco FAQ.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_qanda_item09186a008010018c.shtml

Q. How does silent session resume work during a PEAP session?

A. PEAP supports silent session resume (upon RADIUS session timeout) when only the first phase of PEAP is executed. In the second phase, the previous authentication state is reused. Hence, users will not be required to re-authenticate until the PEAP session timeout expires. The duration time of the PEAP session timeout is configurable from Cisco Secure ACS graphical user interface (GUI).

--

It appears that the PEAP timeout under Global Authentication is an absolute timeout and not part of the session resume feature within PEAP. From this I deduce that the RADIUS session-timeout is used to cause EAP phase 1 renegotiation.

It sounds like the Global PEAP timeout needs to be set to a maximum value that the client will be connected and the session-timeout is for phase 1, renegotiation (and new wep keys).

1) Is this assumption correct ?

2) Does the global PEAP support a session timeout of 0

3) Why doesn't it work with the standard RADIUS session-timeout (27)

0 Helpful

a.mayat
Level 1
Level 1
In response to grshaw

‎02-03-2003 09:00 AM

I think you are right in your assumptions...

Given the following scenario....

1/ Global Authentication Timer = 300 minutes

2/ Cisco-Aironet-Session-Timeout = 10 minutes.

The user authenticates and has a max. of 300 mins access to the network. During this time, the WEP keys will be re-negotiated every 10 minutes.

If during the 300 minutes the user either roams to another AP or roams out of WLAN coverage for less than 120 minutes (non-configurable), the user can get back onto the network without full one time password (OTP) re-authentication as long as the off-line period does not exceed the 300 mins. global time.

Hope this helps...

0 Helpful

grshaw
Level 1
Level 1
In response to a.mayat

‎02-19-2003 03:21 AM

This is definately the case. It appears to work as the above.

However,I have the following issues when authenticating to the RSA RADIUS server though.

1) When the token is in New Pin or Next token mode. The dialogue to change the PIN or Token is only available for 30 seconds. If the new credentials are not provided within 30 seconds the user must re-authenticate..

This looks like a major timeout issue between the ACE server and EAP-PEAP.

Has anyone had success in using New PIn and NExt Token with 60 second tokens?

If so where do you specify the timeout for New PIN and Next Token support (there doesn't appear to be a configurable option.......)

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents