Cisco Systems 3.3 Manual De Usuario
7-41
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Chapter 7 User Management
Advanced User Authentication Settings
Setting Cisco Aironet RADIUS Parameters for a User
The single Cisco Aironet RADIUS VSA, Cisco-Aironet-Session-Timeout, is a
virtual VSA. It acts as a specialized implementation (that is, a remapping) of the
IETF RADIUS Session-Timeout attribute (27) to respond to a request from a
Cisco Aironet Access Point. You use it to provide a different timeout values when
a user must be able to connect via both wireless and wired devices. This capability
to provide a second timeout value specifically for WLAN connections avoids the
difficulties that would arise if you had to use a standard timeout value (typically
measured in hours) for a WLAN connection (that is typically measured in
minutes). You do not need to use Cisco-Aironet-Session-Timeout if the particular
user will always connect only with a Cisco Aironet Access Point. Rather, use this
setting when a user may connect via wired or wireless clients.
virtual VSA. It acts as a specialized implementation (that is, a remapping) of the
IETF RADIUS Session-Timeout attribute (27) to respond to a request from a
Cisco Aironet Access Point. You use it to provide a different timeout values when
a user must be able to connect via both wireless and wired devices. This capability
to provide a second timeout value specifically for WLAN connections avoids the
difficulties that would arise if you had to use a standard timeout value (typically
measured in hours) for a WLAN connection (that is typically measured in
minutes). You do not need to use Cisco-Aironet-Session-Timeout if the particular
user will always connect only with a Cisco Aironet Access Point. Rather, use this
setting when a user may connect via wired or wireless clients.
For example, imagine a user’s Cisco-Aironet-Session-Timeout set to 600 seconds
(10 minutes) and that same user’s IETF RADIUS Session-Timeout set to 3 hours.
When the user connects via a VPN, Cisco Secure ACS uses 3 hours as the timeout
value. However, if that same user connects via a Cisco Aironet Access Point,
Cisco Secure ACS responds to an authentication request from the Aironet AP by
sending 600 seconds in the IETF RADIUS Session-Timeout attribute. Thus, with
the Cisco-Aironet-Session-Timeout attribute configured, different session
timeout values can be sent depending on whether the end-user client is a wired
device or a Cisco Aironet Access Point.
(10 minutes) and that same user’s IETF RADIUS Session-Timeout set to 3 hours.
When the user connects via a VPN, Cisco Secure ACS uses 3 hours as the timeout
value. However, if that same user connects via a Cisco Aironet Access Point,
Cisco Secure ACS responds to an authentication request from the Aironet AP by
sending 600 seconds in the IETF RADIUS Session-Timeout attribute. Thus, with
the Cisco-Aironet-Session-Timeout attribute configured, different session
timeout values can be sent depending on whether the end-user client is a wired
device or a Cisco Aironet Access Point.
The Cisco Aironet RADIUS parameters appear on the User Setup page only if all
the following are true:
the following are true:
•
A AAA client is configured to use RADIUS (Cisco Aironet) in Network
Configuration.
Configuration.
•
The Per-user TACACS+/RADIUS Attributes check box is selected under
Advanced Options in the Interface Configuration section.
Advanced Options in the Interface Configuration section.
•
User-level RADIUS (Cisco Aironet) attribute is enabled under RADIUS
(Cisco Aironet) in the Interface Configuration section.
(Cisco Aironet) in the Interface Configuration section.
Note
To hide or display the Cisco Aironet RADIUS VSA, see
. A VSA
applied as an authorization to a particular user persists, even when you remove or
replace the associated AAA client; however, if you have no AAA clients of this
(vendor) type configured, the VSA settings do not appear in the user configuration
interface.
replace the associated AAA client; however, if you have no AAA clients of this
(vendor) type configured, the VSA settings do not appear in the user configuration
interface.