Manualshelf

Specifications

ManualsBrandsHP ManualsComputer equipment3350 - Cisco NAC Appliance
291292293294295296297298299300
8-16
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 8 User Management: Traffic Control, Bandwidth, Schedule
Configure User Session and Heartbeat Timeouts
In-Band (L2) Sessions
For In-Band configurations, a user session is based on the client MAC and IP address and persists until
one of the following occurs:
The user logs out of the network through either the web user logout page or the Agent logout option.
An administrator manually removes the user from the network.
The session times out, as configured in the Session Timer for the user role.
The CAS determines that the user is no longer connected using the Heartbeat Timer and the CAM
terminates the session.
The Certified Device list is cleared (automatically or manually) and the user is removed from the
network.
OOB (L2) and Multihop (L3) Sessions
The Session Timer works the same way for multi-hop L3 In-Band deployments as for L2 (In-Band or
Out-of-Band) deployments.
For L3 deployments, user sessions are based on unique IP address rather than MAC address.
The Heartbeat Timer will not function in L3 deployments, and does not apply to OOB users. However,
note that the HeartBeat Timer will work if the CAS is the first hop behind the VPN concentrator. This is
because the VPN concentrator responds to the ARP queries for the IP addresses of its current tunnel
clients.
Note When the Single Sign-On (SSO) feature is configured for multi-hop L3 VPN concentrator integration,
if the user’s session on the CAS times out but the user is still logged in on the VPN concentrator, the user
will be able to log back into the CAS without providing a username/password, due to SSO.
Session Timer / Heartbeat Timer Interaction
If the Session Timer is zero and the Heartbeat Timer is not set—the user is not dropped from the
Online Users list and will not be required to re-logon.
If the Session Timer is zero and the Heartbeat Timer is set—the Heartbeat Timer takes effect.
If the Session Timer is non-zero and the Heartbeat Timer is not set—the Session Timer takes effect.
If both timers are set, the first timer to be reached will be activated first.
If the user logs out and shuts down the machine, the user will be dropped from the Online Users list
and will be required to re-logon.
If the DHCP lease is much longer than the session timeout, DHCP leases will not be reused
efficiently.
For additional details, see Interpreting Active Users, page 11-29.