Session Aware Networking provides a policy and identity-based framework in which edge devices can deliver flexible and scalable services to subscribers. This module provides information about what Session Aware Networking is and its features and benefits.
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to
www.cisco.com/go/cfn. An account on Cisco.com is not required.
Information About Session Aware Networking
Understanding Session Aware Networking
Session Aware Networking provides an identity-based approach to access management and subscriber management. It offers a consistent way to configure features across technologies, a command interface that allows easy deployment and customization of features, and a robust policy control engine with the ability to apply policies defined locally or received from an external server to enforce policy in the network.
The figure below illustrates a typical deployment of Session Aware Networking in a physically distributed enterprise with a campus, branch offices, and remote workers.
Figure 1. Sample Deployment
Features in Session Aware Networking
Session Aware Networking includes the following features:
Cisco common classification policy language (C3PL)-based identity configuration
Concurrent authentication methods on a single session, including IEEE 802.1x (dot1x), MAC authentication bypass (MAB), and web
authentication
Downloadable identity service templates
Extended RADIUS change of authorization (CoA) support for querying, reauthenticating, and terminating a session, port shutdown and port bounce, and activating and deactivating an identity service template.
Local authentication using Lightweight Directory Access Protocol (LDAP)
Locally defined identity control policies
Locally defined identity service templates
Per-user inactivity handling across methods
Web authentication support of common session ID
Web authentication support of IPv6
Benefits of Session Aware Networking
Identity-based solutions are essential for delivering access control for disparate groups such as employees, contractors, and partners while maintaining low operating expenses. Session Aware Networking provides a consistent approach to operational management through a policy and identity-based infrastructure leading to faster deployment of new features and easier management of switches.
Session Aware Networking provides the following benefits:
An identity-based framework for session management.
A robust policy control engine to apply policies defined locally or received from an external AAA server.
Faster deployment and customization of features across access technologies.
A simpler and consistent way to configure features across access methods, platforms, and application domains.
Web Authentication Support for Common Session ID
Session Aware Networking allows a single session identifier to be used for web authentication sessions in addition to all 802.1X and MAB authenticated sessions for a client. This session ID is used for all reporting purposes such as show commands, MIBs, and RADIUS messages and allows users to distinguish messages for one session from messages for other sessions. This common session ID is used consistently across all authentication methods and features applied to a session.
Web Authentication Support of IPv6
Session Aware Networking introduces IPv6 support for web authentication. IPv6 is supported for web authentication only when Session Aware Networking is explicitly configured. This means that you must permanently convert your configuration to the Cisco common classification policy language (C3PL) display mode by specifically configuring a Session Aware Networking command such as the policy-map type control subscriber command.
Authentication, authorization, and accounting (AAA) configuration
tasks
Authentication Authorization and Accounting Configuration Guide
AAA commands
Cisco IOS Security Command Reference
Standards and RFCs
Standard/RFC
Title
RFC 5176
Dynamic Authorization Extensions to RADIUS
Technical Assistance
Description
Link
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.
Feature Information for Session Aware Networking Overview
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to
www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1 Feature Information for Session Aware Networking Overview
Feature Name
Releases
Feature Information
Web Authentication Support of Common Session ID
Cisco IOS XE Release 3.2SE
Allows a single session identifier to be used for all web
authentication sessions in addition to 802.1X and MAB
authenticated sessions.