Cisco Cisco Transport Manager 9.2 Technical References
8
Cisco Transport Manager Release 9.2 Basic External Authentication
OL-21046-01
Understanding the RADIUS Implementation
A session is created after a successful user login. Once created, a user session persists until it is
terminated.
terminated.
User-side session persistence is accomplished by saving the session specification that the policy server
issues at the time of authentication. The session specification represents a user session and is the key to
SiteMinder session management. The CTM server environment in which the user session was created is
responsible for persistent storage of the session specification.
issues at the time of authentication. The session specification represents a user session and is the key to
SiteMinder session management. The CTM server environment in which the user session was created is
responsible for persistent storage of the session specification.
SiteMinder’s universal ID integrates seamlessly with the sessioning mechanism. A universal ID
identifies the user to an application in a SiteMinder environment using a unique identifier, such as a
Social Security number or customer account number. The universal ID facilitates identification of users
between old and new applications by delivering the user’s identification automatically, regardless of the
application. Once configured on the policy server, a user’s universal ID is part of the session
specification and is made available to agents for the duration of the entire session.
identifies the user to an application in a SiteMinder environment using a unique identifier, such as a
Social Security number or customer account number. The universal ID facilitates identification of users
between old and new applications by delivering the user’s identification automatically, regardless of the
application. Once configured on the policy server, a user’s universal ID is part of the session
specification and is made available to agents for the duration of the entire session.
The CTM agent uses the Login() API to create sessions. This API authenticates the CTM user credentials
and returns the session specification and unique session ID. Once created, the session specification is
updated on subsequent agent API calls.
and returns the session specification and unique session ID. Once created, the session specification is
updated on subsequent agent API calls.
CTM agents use the API information to manage custom sessions and track timeouts. By default, a
session times out after 15 seconds. That is, if the policy server does not trust the user within 15 seconds,
the login process fails.
session times out after 15 seconds. That is, if the policy server does not trust the user within 15 seconds,
the login process fails.
When the CTM server receives an authentication message from the client, the server processes the
message and invokes the API login, using the global connection reference and the username and
password provided by the user.
message and invokes the API login, using the global connection reference and the username and
password provided by the user.
At the end of this process, SiteMinder returns a response for the user session, which either trusts or
denies the user. This response must be stored at the server level to invoke all subsequent requests for the
correct user instance. The CTM agent calls the Login() API to validate the session specification and
verify that the session was not terminated or revoked. This validation can occur at any time during the
session lifecycle. The CTM agent does not check for session expiration because CTM implements an
authentication-only feature and provides a different expiration mechanism.
denies the user. This response must be stored at the server level to invoke all subsequent requests for the
correct user instance. The CTM agent calls the Login() API to validate the session specification and
verify that the session was not terminated or revoked. This validation can occur at any time during the
session lifecycle. The CTM agent does not check for session expiration because CTM implements an
authentication-only feature and provides a different expiration mechanism.
CTM User Logout
A CTM user session is terminated:
•
After a user logs out and the agent discards the session specification
•
When the session expires
•
When the session is revoked
After a session is terminated, the user must log in again to establish a new session.
CTM terminates a session if a user is disabled after the session begins. CTM calls the SiteMinder Login()
API to validate the session and determine whether the user is enabled. To terminate a session, the agent
must discard the session specification.
API to validate the session and determine whether the user is enabled. To terminate a session, the agent
must discard the session specification.
When the CTM server shuts down, the connection opened with the SiteMinder policy server stops, and
the policy server is informed with an API method.
the policy server is informed with an API method.
Understanding the RADIUS Implementation
The CTM server operates as a RADIUS client that is responsible for passing user information to
designated RADIUS servers, and then acting on the response that is returned.
designated RADIUS servers, and then acting on the response that is returned.