Cisco Cisco NAC Appliance 4.1.0
9-15
Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 9 User Management: Traffic Control, Bandwidth, Schedule
Configure User Session and Heartbeat Timeouts
Configure User Session and Heartbeat Timeouts
Timeout properties enhance the security of your network by ensuring that user sessions are terminated
after a configurable period of time. The are three main mechanisms for automated user timeout:
after a configurable period of time. The are three main mechanisms for automated user timeout:
•
•
•
Certified Device Timer (see
This section describes the Session and Heartbeat Timers.
Session Timer
The Session Timer is an absolute timer that is specific to the user role. If a Session Timer is set for a role,
a session for a user belonging to that role can only last as long as the Session Timer setting. For example,
if user A logs in at 1:00pm and user B logs in at 1:30pm, and if both belong to role Test with Session
Timer set for 2 hours, user A will be logged out at 3:00pm and user B will be logged out at 3:30pm. With
session timeouts, the user is dropped regardless of connection status or activity.
a session for a user belonging to that role can only last as long as the Session Timer setting. For example,
if user A logs in at 1:00pm and user B logs in at 1:30pm, and if both belong to role Test with Session
Timer set for 2 hours, user A will be logged out at 3:00pm and user B will be logged out at 3:30pm. With
session timeouts, the user is dropped regardless of connection status or activity.
Heartbeat Timer
The Heartbeat Timer sets the number of minutes after which a user is logged off the network if
unresponsive to ARP queries from the Clean Access Server. This feature enables the CAS to detect and
disconnect users who have left the network (e.g. by shutting down or suspending the machine) without
actually logging off the network. Note that the Heartbeat Timer applies to all users, whether locally or
externally authenticated.
unresponsive to ARP queries from the Clean Access Server. This feature enables the CAS to detect and
disconnect users who have left the network (e.g. by shutting down or suspending the machine) without
actually logging off the network. Note that the Heartbeat Timer applies to all users, whether locally or
externally authenticated.
The connection check is performed via ARP query rather than by pinging. This allows the heartbeat
check to function even if ICMP traffic is blocked. The CAS maintains an ARP table for its untrusted side
which houses all the machines it has seen or queried for on the untrusted side. ARP entries for machines
are timed out through normal ARP cache timeout if no packets are seen from the particular machine. If
packets are seen, their entry is marked as fresh. When a machine no longer has a fully resolved entry in
the CAS’s ARP cache and when it does not respond to ARPing for the length of the Heartbeat Timer
setting, the machine is deemed not to be on the network and its session is terminated.
check to function even if ICMP traffic is blocked. The CAS maintains an ARP table for its untrusted side
which houses all the machines it has seen or queried for on the untrusted side. ARP entries for machines
are timed out through normal ARP cache timeout if no packets are seen from the particular machine. If
packets are seen, their entry is marked as fresh. When a machine no longer has a fully resolved entry in
the CAS’s ARP cache and when it does not respond to ARPing for the length of the Heartbeat Timer
setting, the machine is deemed not to be on the network and its session is terminated.
In-Band (L2) Sessions
For in-band configurations, a user session is based on the client MAC and IP address and persists until
one of the following occurs:
one of the following occurs:
•
The user logs out of the network through either the web user logout page or the Clean Access Agent
logout option.
logout option.
•
An administrator manually removes the user from the network.
•
The session times out, as configured in the Session Timer for the user role.
•
The CAS determines that the user is no longer connected using the Heartbeat Timer and the CAM
terminates the session.
terminates the session.
•
The Certified Device list is cleared (automatically or manually) and the user is removed from the
network.
network.