Specifications

ManualsBrandsHP ManualsComputer equipment3350 - Cisco NAC Appliance

291

292

293

294

295

296

297

298

299

300

8-15

Cisco NAC Appliance - Clean Access Manager Configuration Guide

OL-28003-01

Chapter 8 User Management: Traffic Control, Bandwidth, Schedule

Configure User Session and Heartbeat Timeouts

Note If bandwidth management is enabled, devices allowed via device filter without specifying a role will use

the bandwidth of the Unauthenticated Role. See Global Device and Subnet Filtering, page 2-10 for

details.

Configure User Session and Heartbeat Timeouts

Timeout properties enhance the security of your network by ensuring that user sessions are terminated

after a configurable period of time. The are three main mechanisms for automated user timeout:

• Session Timer

• Heartbeat Timer

• Certified Device Timer (see Configure Certified Device Timer, page 11-14)

This section describes the Session and Heartbeat Timers.

Session Timer

The Session Timer is an absolute timer that is specific to the user role. If a Session Timer is set for a role,

a session for a user belonging to that role can only last as long as the Session Timer setting. The Session

Timer has a built-in value of 5 minutes that gets added to the configured session timeout value specific

to the user role. A user session corresponding to a user role gets cleared at the end of configured session

timeout + built-in 5 minute value. For example, if user A logs in at 1:00pm and user B logs in at 1:30pm,

and if both belong to role Test with Session Timer set for 115 minutes, user A will be logged out at

3:00pm and user B will be logged out at 3:30pm. When session timeouts, the user is dropped regardless

of connection status or activity.

Note If you have configured a RADIUS server, the RADIUS Session Timeout for user login is automatically

enabled. The Timeout duration therefore occurs on a per user basis, depending on the user profile

configured on the RADIUS server. Refer to RADIUS, page 7-6 for information on enabling RADIUS

server authentication in Cisco NAC Appliance.

Heartbeat Timer

The Heartbeat Timer sets the number of minutes after which a user is logged off the network if

unresponsive to ARP queries from the Clean Access Server. This feature enables the CAS to detect and

disconnect users who have left the network (e.g. by shutting down or suspending the machine) without

actually logging off the network. Note that the Heartbeat Timer applies to all users, whether locally or

externally authenticated.

The connection check is performed via ARP query rather than by pinging. This allows the heartbeat

check to function even if ICMP traffic is blocked. The CAS maintains an ARP table for its untrusted side

which houses all the machines it has seen or queried for on the untrusted side. ARP entries for machines

are timed out through normal ARP cache timeout if no packets are seen from the particular machine. If

packets are seen, their entry is marked as fresh. When a machine no longer has a fully resolved entry in

the CAS’s ARP cache and when it does not respond to ARPing for the length of the Heartbeat Timer

setting, the machine is deemed not to be on the network and its session is terminated.