Cisco Cisco IOS Software Release 12.3(4)T
SSG EAP Transparency
Information About SSG EAP Transparency
4
Cisco IOS Releases 12.2(16)B and 12.3(4)T
EAP Transparency
The SSG EAP Transparency feature allows SSG on a Cisco router to act as a RADIUS proxy during EAP
authentication. SSG creates the host after successful EAP authentication, so the user does not have to
log in through the web portal. Instead, the user is automatically logged in.
authentication. SSG creates the host after successful EAP authentication, so the user does not have to
log in through the web portal. Instead, the user is automatically logged in.
The AP does the authentication for the client. SSG looks like a AAA server, which proxies relevant
packets to the real AAA server. To create a host automatically, SSG has to know that the authentication
was successful. By proxying messages, it obtains this information. The IP address is not assigned until
authentication is complete, so SSG creates an inactive host and uses the MAC address as an identifier.
To get the IP address, it waits for a DHCP Accounting Start from the AZR, so the AZR must be
configured as an SSG RADIUS proxy client.
packets to the real AAA server. To create a host automatically, SSG has to know that the authentication
was successful. By proxying messages, it obtains this information. The IP address is not assigned until
authentication is complete, so SSG creates an inactive host and uses the MAC address as an identifier.
To get the IP address, it waits for a DHCP Accounting Start from the AZR, so the AZR must be
configured as an SSG RADIUS proxy client.
Prevention of IP Address Reuse
When the AZR reboots, it sends Accounting On/Off packets. SSG receives these packets and, even
though EAP users may be connected, it moves hosts to the inactive state and starts an inactive-period
timer. During the DHCP renewal, the AZR performs an ARP lock and sends an Accounting Start packet
to SSG. After receiving an Accounting Start packet, SSG activates the corresponding hosts using the
MAC address as the identity. If the inactive-period timer expires, SSG removes all of the inactive hosts.
though EAP users may be connected, it moves hosts to the inactive state and starts an inactive-period
timer. During the DHCP renewal, the AZR performs an ARP lock and sends an Accounting Start packet
to SSG. After receiving an Accounting Start packet, SSG activates the corresponding hosts using the
MAC address as the identity. If the inactive-period timer expires, SSG removes all of the inactive hosts.
This functionality prevents the use of previously valid IP addresses after an AZR reboot. It closes a
security hole that could allow an illegal user to hijack the session of a valid user through the IP address,
and at the same time it removes the inconvenience of reauthentication for the user. In order to prevent
the reuse of IP addresses, clients must be configured with a short DHCP lease interval. If users are not
configured with a short lease interval, they will have to reauthenticate whenever the AZR reboots.
security hole that could allow an illegal user to hijack the session of a valid user through the IP address,
and at the same time it removes the inconvenience of reauthentication for the user. In order to prevent
the reuse of IP addresses, clients must be configured with a short DHCP lease interval. If users are not
configured with a short lease interval, they will have to reauthenticate whenever the AZR reboots.
User Reconnect
The SSG EAP transparency implementation allows EAP users to access the SESM, perform an account
logoff, and access the SESM again later without having to log on. Without the user reconnect
functionality, EAP users that attempt to reconnect to SESM after having logged off are presented with
the SESM logon page. Because the initial authentication is performed by the EAP mechanism, EAP users
do not know their credentials (username and password information) for SESM login, so they are unable
to access SESM services again.
logoff, and access the SESM again later without having to log on. Without the user reconnect
functionality, EAP users that attempt to reconnect to SESM after having logged off are presented with
the SESM logon page. Because the initial authentication is performed by the EAP mechanism, EAP users
do not know their credentials (username and password information) for SESM login, so they are unable
to access SESM services again.
The following steps describe the SSG EAP transparency user reconnect process:
1.
The user connects to SSG via an EAP mechanism, and SSG creates the host (as explained in the
section).
2.
The user accesses the SESM. The SESM queries SSG about the user, and SSG provides the SESM
with the user profile information. The SESM displays the service logon page for the user to select
services.
with the user profile information. The SESM displays the service logon page for the user to select
services.
3.
When the EAP user logs off the SESM, SSG does not remove the host (as it does for other types of
users), but rather inactivates the host.
users), but rather inactivates the host.
4.
The user attempts to access the SESM again to use a service. The SESM queries SSG. SSG activates
the host and enables autologon services.
the host and enables autologon services.
SSG deletes an active or inactive host when it receives an Accounting Stop packet from the AZR.
The SSG EAP transparency user reconnect functionality can be enabled or disabled using the
command-line interface, as described in the
command-line interface, as described in the