Cisco 3.3 User Manual

Page 231

Advertising
background image

6-41

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Chapter 6 User Group Management

Configuration-specific User Group Settings

Step 3

If you want to use other Cisco IOS/PIX RADIUS attributes, select the
corresponding check box and specify the required values in the adjacent text box.

Step 4

To save the group settings you have just made, click Submit.

For more information, see

Saving Changes to User Group Settings, page 6-56

.

Step 5

To continue specifying other group settings, perform other procedures in this
chapter, as applicable.

Configuring Cisco Aironet RADIUS Settings for a User Group

The single Cisco Aironet RADIUS VSA, Cisco-Aironet-Session-Timeout, is a
virtual VSA. It is a specialized implementation of the IETF RADIUS
Session-Timeout attribute (27) that Cisco Secure ACS uses only when it responds
to a RADIUS request from a AAA client using RADIUS (Cisco Aironet). This
enables you to provide different timeout values for users accessing your network
through wireless and wired access devices. By specifying a timeout value
specifically for WLAN connections, you avoid the difficulties that would arise if
you had to use a standard timeout value (typically measured in hours) for a WLAN
connection (that is typically measured in minutes).

Tip

Only enable and configure the Cisco-Aironet-Session-Timeout when some or all
members of a group may connect through wired or wireless access devices. If
members of a group always connect with a Cisco Aironet Access Point (AP) or
always connect only with a wired access device, you do not need to use
Cisco-Aironet-Session-Timeout but should instead configure RADIUS (IETF)
attribute 27, Session-Timeout.

Imagine a user group Cisco-Aironet-Session-Timeout set to 600 seconds (10
minutes) and that same user group IETF RADIUS Session-Timeout set to 3 hours.
When a member of this group connects through a VPN concentrator, Cisco Secure
ACS uses 3 hours as the timeout value. However, if that same user connects via a
Cisco Aironet AP, Cisco Secure ACS responds to an authentication request from
the Aironet AP by sending 600 seconds in the IETF RADIUS Session-Timeout
attribute. Thus, with the Cisco-Aironet-Session-Timeout attribute configured,
different session timeout values can be sent depending on whether the end-user
client is a wired access device or a Cisco Aironet AP.

Advertising