Cisco Systems 3.3 Manual De Usuario
6-41
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Chapter 6 User Group Management
Configuration-specific User Group Settings
Step 3
If you want to use other Cisco IOS/PIX RADIUS attributes, select the
corresponding check box and specify the required values in the adjacent text box.
corresponding check box and specify the required values in the adjacent text box.
Step 4
To save the group settings you have just made, click Submit.
For more information, see
Step 5
To continue specifying other group settings, perform other procedures in this
chapter, as applicable.
chapter, as applicable.
Configuring Cisco Aironet RADIUS Settings for a User Group
The single Cisco Aironet RADIUS VSA, Cisco-Aironet-Session-Timeout, is a
virtual VSA. It is a specialized implementation of the IETF RADIUS
Session-Timeout attribute (27) that Cisco Secure ACS uses only when it responds
to a RADIUS request from a AAA client using RADIUS (Cisco Aironet). This
enables you to provide different timeout values for users accessing your network
through wireless and wired access devices. By specifying a timeout value
specifically for WLAN connections, you avoid the difficulties that would arise if
you had to use a standard timeout value (typically measured in hours) for a WLAN
connection (that is typically measured in minutes).
virtual VSA. It is a specialized implementation of the IETF RADIUS
Session-Timeout attribute (27) that Cisco Secure ACS uses only when it responds
to a RADIUS request from a AAA client using RADIUS (Cisco Aironet). This
enables you to provide different timeout values for users accessing your network
through wireless and wired access devices. By specifying a timeout value
specifically for WLAN connections, you avoid the difficulties that would arise if
you had to use a standard timeout value (typically measured in hours) for a WLAN
connection (that is typically measured in minutes).
Tip
Only enable and configure the Cisco-Aironet-Session-Timeout when some or all
members of a group may connect through wired or wireless access devices. If
members of a group always connect with a Cisco Aironet Access Point (AP) or
always connect only with a wired access device, you do not need to use
Cisco-Aironet-Session-Timeout but should instead configure RADIUS (IETF)
attribute 27, Session-Timeout.
members of a group may connect through wired or wireless access devices. If
members of a group always connect with a Cisco Aironet Access Point (AP) or
always connect only with a wired access device, you do not need to use
Cisco-Aironet-Session-Timeout but should instead configure RADIUS (IETF)
attribute 27, Session-Timeout.
Imagine a user group Cisco-Aironet-Session-Timeout set to 600 seconds (10
minutes) and that same user group IETF RADIUS Session-Timeout set to 3 hours.
When a member of this group connects through a VPN concentrator, Cisco Secure
ACS uses 3 hours as the timeout value. However, if that same user connects via a
Cisco Aironet AP, Cisco Secure ACS responds to an authentication request from
the Aironet AP by sending 600 seconds in the IETF RADIUS Session-Timeout
attribute. Thus, with the Cisco-Aironet-Session-Timeout attribute configured,
different session timeout values can be sent depending on whether the end-user
client is a wired access device or a Cisco Aironet AP.
minutes) and that same user group IETF RADIUS Session-Timeout set to 3 hours.
When a member of this group connects through a VPN concentrator, Cisco Secure
ACS uses 3 hours as the timeout value. However, if that same user connects via a
Cisco Aironet AP, Cisco Secure ACS responds to an authentication request from
the Aironet AP by sending 600 seconds in the IETF RADIUS Session-Timeout
attribute. Thus, with the Cisco-Aironet-Session-Timeout attribute configured,
different session timeout values can be sent depending on whether the end-user
client is a wired access device or a Cisco Aironet AP.