|
|
Max sessions settings enable the system or group administrator to limit the number of concurrent sessions that can be opened per user, group, or VPDN through the network or through a specific point-of-presence (PoP) grouping of NASes.
CiscoSecure ACS 2.3 for UNIX can support the optional DSM module if it is licensed and enabled; or it can provide its own limited-feature max sessions support.
After you have installed the CiscoSecure ACS, use the CiscoSecure Administrator AAA>General web page to enable the type of max sessions control to carry out.
 |
Note The Distributed selection is valid only if you have licensed the DSM module on this ACS. AAA accounting packets must be enabled on the client NASes for this selection to take effect. |
Step 2 Stop and restart the CiscoSecure ACS in order for your new max sessions control selection to take effect.
a. Log in as [Root] to the SPARCStation where you installed CiscoSecure ACS. To stop the ACS enter:
b. To restart the CiscoSecure ACS, enter:
 |
Caution If accounting information is still being written when the /etc/rc0.d/K80CiscoSecure script is invoked to stop the ACS, the DBServer module of the ACS will not shut down until it finishes writing all accounting information to the RDBMS. This process might take as long as 10 minutes. Do not attempt to shut down the DBServer by other means during this process. Loss of accounting data might result. |
A group can have two kinds of members:
Consider the following cases:
1. A user member profile of a group has "max sessions" set.
2. A user member profile does not have "max sessions" set.
3. A group member's profile (subgroup) has "member-specific max sessions" set.
4. A group member's profile (subgroup) does not have "member specific max sessions" set.
In cases 2 and 4, the value will be set to that of the "member specific max sessions" parameter of the parent's group. If the parent's group does not have "member specific max sessions" configured, then the value is set to that of the parent. The "member-specific max sessions" setting for group is used only when the member is not configured with a "max sessions" parameter (that is, when the member of the group is a user profile) or the "member-specific max sessions" parameter (when the member is a group profile) is not set for the subgroup.
|
Note This section describes features available if the customer installs CiscoSecure with the optional DSM module licensed and enabled. For a description of max sessions support available without the DSM module installed, see the "Limited-Feature Max Sessions Support" section. |
With the CiscoSecure DSM module installed and enabled, the CiscoSecure system Administrator can use the DSM menu option in the CiscoSecure ACS 2.3 Administrator web pages to carry out the following operations:
|
Caution DSM-based sessions management cannot be implemented for members of VPDNs set up to use the Cisco IOS Release 11.3 dial-in number information service (DNIS) feature. |
Before you attempt to configure DSM max sessions control, make sure that you have implemented the following CiscoSecure installation and post-installation requirements:
In the CiscoSecure ACS 2.3 for UNIX release, a DSM authority is synonymous with the DSM that you want to handle the session managers for a CiscoSecure group, user, or VPDN.
Before you configure DSM settings for groups, users, or VPDNs, you will need to create a DSM authority. Then, when you set up DSM settings for your CiscoSecure groups, users, or VPDNs, you assign this or some other DSM authority to carry out those settings.
Step 2 If you want to Edit an existing DSM Authority, click the pencil icon for that DSM Authority.
Step 3 If you want to create a new DSM Authority, click Add Distributed Session Manager Authority, and in the DSM Authority Name field, enter a name of your choosing and click Add.
Step 4 On the Distributed Session Manager Edit Authority page, select or enter the appropriate settings:
Step 5 When you are finished with your settings, click Update to confirm the DSM server setting.
To delete an existing DSM Authority:
Step 2 Click the minus sign for the DSM Authority that you want to delete.
|
Note This section describes features available if the customer installs CiscoSecure with the optional DSM module licensed and enabled. For a description of max sessions support available without the DSM module installed, see the "Limited-Feature Max Sessions Support" section. |
When a DSM authority is established, you can configure max sessions settings to apply to every CiscoSecure user, group, or VPDN in the CiscoSecure profile database.
|
Note This section describes features available if the customer installs CiscoSecure with the optional DSM module licensed and enabled. For a description of max sessions support available without the DSM module installed, see the "Limited-Feature Max Sessions Support" section. |
The DSM>Counters option allows you to browse for and select the user, group, and VPDN objects on the network whose DSM statistics you want to view or whose DSM settings you want to configure.
Step 2 Click the appropriate button:
|
Note If you click the All button, VPDN objects will be displayed only as user or group objects (however they were originally configured). They will not be listed separately or designated in any other way as VPDN objects. |
|
Caution If a large number of user and group profiles exist, displaying them all on a single page might take a long time and the resulting HTML page might force an out-of-memory error in the browser. If the items you want to browse are group or user profiles, it might be better to use the DSM>View option to search for a specific group or user instead. |
Step 3 Locate the user, group, or VPDN object whose DSM statistics or DSM settings you want to view or modify:
|
Note This section describes features available if the customer installs CiscoSecure with the optional DSM module licensed and enabled. For a description of max sessions support available without the DSM module installed, see the "Limited-Feature Max Sessions Support" section. |
To avoid having to display and browsing all the users, or all the groups, or all the VPDNs on a network, you can use the DSM>Counters option to first select a group and then browse just the users, subgroups, or VPDNs belonging to that group.
Step 2 Click the Groups button.
Step 3 Locate and click the name of the group whose users, VPDNs, or subgroups you want to browse.
This displays the Distributed Session Manager - View Group Settings page for that group.
Step 4 Locate the View Members box on this page and click the appropriate button:
|
Note If you click the All button, VPDN objects will be displayed only as user or group objects (however they were originally configured). They will not be listed separately or designated in any other way as VPDN objects. |
|
Caution If a large number of user and subgroup profiles exist for the current group, displaying them all on a single page might take a long time and the resulting HTML page might force an out-of-memory error in the browser. If the items you want to browse are group or user profiles, it might be better to use the DSM>View option to search for a specific group or user instead. |
Step 5 Locate the user, group, or VPDN object whose DSM statistics or DSM settings you want to view or modify.
|
Note This section describes features available if the customer installs CiscoSecure with the optional DSM module licensed and enabled. For a description of max sessions support available without the DSM module installed, see the "Limited-Feature Max Sessions Support" section. |
The DSM Member Settings page enables you to restrict concurrent sessions for an individual user. To edit individual CiscoSecure user DSM settings:
Step 2 Click the Users button.
Step 3 Locate the user whose max sessions settings you want to edit. If necessary, click the Show More or Show All button.
Step 4 After locating the user, click the pencil icon to display the Distributed Session Manager Member Settings page.
Step 5 Edit the settings.
| User Setting | Description | ||
|---|---|---|---|
Max Sessions | |||
The name of the DSM that has authority over the current user. In most cases, the DSM Authority Name for a CiscoSecure user is the DSM at the ACS.
| |||
High Performance Threshold (%) | The point at which full completion of a max sessions check is required before the current user can open additional sessions. High performance login throughput is enabled by a shortcut routine that allows the current user to open a session even before that user's max sessions check is fully completed at the DSM; however, if the percentage of sessions already opened in relation to the sessions allowed goes above the percentage specified in this field, the shortcut routine is suspended and full max sessions checking is required before the user can open a new session. For example, if the max sessions setting for the current user is 4 and the high performance threshold is set to 75% then the high performance shortcut routine is suspended for this user after this user opens three concurrent sessions.1 | ||
Unbound PoP Policy---Whether to permit or deny dial-in user access if the user is logging in through an unbound PoP group. For details on PoP binding see the "Restricting Sessions by PoP Group" section. |
|
Note If DSM settings assigned to an individual user conflict with "Member-Specific" DSM settings assigned to that user's group, the individual user DSM settings will apply to that user; however, you can use the Java-based CiscoSecure Administrator advanced configuration program to assign Member-specific group DSM settings "Absolute" status, which overrides the DSM settings assigned to any individual user in that group. See, the "Applying Group DSM Overrides" section. |
|
Note This section describes features available if the customer installs CiscoSecure with the optional DSM module licensed and enabled. For a description of max sessions support available without the DSM module installed, see the "Limited-Feature Max Sessions Support" section. |
The DSM Edit Group Settings page enables you to limit the total combined concurrent sessions to allow a group and to limit the concurrent sessions to allow to each member of that group. To edit the Group DSM settings:
Step 2 Click the Groups button.
Step 3 Locate the group whose DSM settings you want to edit. If necessary, click the Show More or Show All button.
Step 4 After locating the group, click the pencil icon to display the Distributed Session Manager Edit Group Settings window.
Step 5 Edit the Group-Specific settings.
Group-Specific settings restrict the total combined sessions allowed to the members and subgroups of a CiscoSecure group as a whole. They include:
| Group-Specific Setting | Description | ||
|---|---|---|---|
This is the maximum number of total combined sessions to allot to this group of users and users in any of its subgroups. If the total number of concurrent sessions opened by users in this group and of any of its subgroups reaches the number specified in this field, CiscoSecure denies additional login sessions to members of this group or any of its subgroups.
| |||
This is the name of the DSM that has authority over this group.
| |||
The point at which full completion of a max sessions check is required before members of this group can open additional sessions. Group high performance login throughput is enabled by a shortcut routine that allows the members of the current group to open a session even before that group's max sessions check is fully completed; however, if the percentage of sessions already opened in relation to the sessions allowed goes above the percentage specified in this field, the shortcut routine is suspended and full group max sessions checking is required before any member of this group can open new sessions. For example, if the group max sessions setting for the current group is 400 and the high performance threshold is set to 75% then the high performance shortcut routine is suspended for this group after its users and users in any of its subgroups open a combined total of 300 concurrent sessions.1
| |||
Unbound PoP Policy | Whether to permit or deny dial-in user access if the group member is logging in through an unbound PoP group. For details on PoP binding see the "" section. |
Step 6 Edit the Member-Specific group settings. Member-Specific settings are global DSM settings that restrict the concurrent sessions allowed each member of a group.
| Member-Specific Setting | Description | ||
|---|---|---|---|
The maximum number of concurrent sessions to allot to any one user within the current CiscoSecure group. You can use this setting to ensure against any one user using a disproportionate number of sessions that have been allotted to the entire group. | |||
The name of the DSM that has authority over this user. In most cases, the DSM Authority Name for Group and its Members is the same.
| |||
The point at which full completion of a max sessions check is required before each individual member of the current group can open additional sessions. High performance login throughput is enabled by a shortcut routine that allows the a user of the current group to open a session even before that user's max sessions check is fully completed; however, if the percentage of sessions already opened for a user in relation to the sessions allowed goes above the percentage specified in this field, the shortcut routine is suspended and full max sessions checking is required before that user can open a new session. For example, if the member max sessions setting for the current group is 4 and the high performance threshold is set to 75% then the high performance shortcut routine is suspended for a user in this group after that user opens 3 concurrent sessions.1 | |||
Whether to permit or deny dial-in user access if the group member is logging in through an unbound PoP group. For details on PoP binding see the "Restricting Sessions by PoP Group" section. |
|
Note If DSM settings assigned to an individual user conflict with "Member-Specific" DSM settings assigned to that user's group, the individual user DSM settings will apply to that user; however, you can use the Java-based CiscoSecure Administrator advanced configuration program to assign Member-specific group DSM settings "Absolute" status, which overrides the DSM settings assigned to any individual user in that group. See the "Applying Group DSM Overrides" section. |
|
Note This section describes features available if the customer installs CiscoSecure with the optional DSM module licensed and enabled. For a description of max sessions support available without the DSM module installed, see the "Limited-Feature Max Sessions Support" section. |
A CiscoSecure virtual private dial-up network (VPDN) object is a CiscoSecure user profile specially configured as a VPDN name that members of that VPDN can attach to their personal login names when dialing in through a remote ISP-run NAS and have their login requests tunneled for authentication to their VPDN's home gateway NAS and ACS.
|
Note For details on setting up VPDN connections see the "TACACS+VPDN Example" section and the "RADIUSVPDN Example" section in "Limiting and Tracking Sessions Per User, Group, or VPDN." |
To edit VPDN DSM settings:
Step 2 Click the VPDNs button.
Step 3 Locate the VPDN object whose max sessions settings you want to edit. If necessary, click the Show More or Show All button.
Step 4 After locating the VPDN object, click the pencil icon to display the Distributed Session Manager Edit VPDN Settings window.
Edit the settings.
| VPDN Setting | Description | ||
|---|---|---|---|
This is the maximum number of sessions to allot to this VPDN. If the number of concurrent sessions specified in this field is reached, CiscoSecure denies login sessions to other members of this VPDN. | |||
This is the name of the DSM that has authority over this VPDN.
| |||
The point at which full completion of a max sessions check is required before members of this VPDN can open additional sessions. VPDN high performance login throughput is enabled by a shortcut routine that allows the members of the current VPDN to open a session even before that VPDN's max sessions check is fully completed; however, if the percentage of sessions already opened in relation to the sessions allowed goes above the percentage specified in this field, the shortcut routine is suspended and full VPDN max sessions checking is required before any member of this VPDN can open new sessions. For example, if the max sessions setting for the current VPDN is 400 and the high performance threshold is set to 75% then the high performance shortcut routine is suspended for this VPDN after its users open 300 concurrent sessions.1 | |||
Whether to permit or deny dial-in user access if the VPDN member is logging in through an unbound PoP group. For details on PoP binding see the "Restricting Sessions by PoP Group" section. |
|
Note This section describes features available if the customer installs CiscoSecure with the optional DSM module licensed and enabled. For a description of max sessions support available without the DSM module installed, see the "Limited-Feature Max Sessions Support" section. |
The CiscoSecure DSM module allows you to organize your NASes into logical PoP groups and then restrict the number of sessions that can be opened for a specified CiscoSecure user, group, or VPDN through that PoP.
For example, you can group NASes, NAS_A, NAS_B, and NAS_C into one logical PoP, PoP_1, then you can assign, or "bind" Group_a to this PoP, restricting the total combined number of concurrent sessions that can be opened by members of this group through this PoP, and also restricting, if you so choose, the members of Group_a to dialing in only through the NASes assigned to PoP_1. You can apply these PoP-related restrictions to individual users, and members of a VPDN also.
|
Note This section describes features available if the customer installs CiscoSecure with the optional DSM module licensed and enabled. For a description of max sessions support available without the DSM module installed, see the "Limited-Feature Max Sessions Support" section. |
The DSM module of CiscoSecure ACS 2.3 for UNIX allows you to include one or more dial-in NASes in a PoP group.
Step 2 Use the Distributed Session Manager Edit PoP Definition page as follows:
|
Note TACACS+ NASes that are removed from the ACS configuration through the AAA>NAS option in CiscoSecure ACS 2.3 Administrator web pages, or RADIUS NASes that are removed from the ACS configuration through the NASes tab in the Java-based CiscoSecure Administrator advanced configuration program will remain listed in the "NASes in PoP" list but in brackets until removed through the -> button. |
|
Caution When using the Free-Form NASes field, you must observe several important precautions. See the "Adding Unlisted TACACS+ NASes to a PoP Definition" section for instructions and precautions to observe when using the Free-Form NASes field. |
|
Note This section describes features available if the customer installs CiscoSecure with the optional DSM module licensed and enabled. For a description of max sessions support available without the DSM module installed, see the "Limited-Feature Max Sessions Support" section. |
If a TACACS+ NAS has not been added as a client to this ACS configuration through the AAA>NAS option in the CiscoSecure ACS 2.3 Administrator web pages, it will not be listed in any PoP's "Available NASes" or "NASes in PoP" lists.
However, you can still use the "Free-Form NASes" field to add an unlisted TACACS+ NAS to a PoP definition:
Step 2 In the Distributed Session Manager PoP Definition page, enter the FQDN or the IP address of the NAS that you want to add in the Free-Form NASes field, but observe the following important precautions:
Step 3 Click the Add Unlisted NAS button.
The specified NAS will appear in brackets in the "NASes in PoP" list.
|
Note This section describes features available if the customer installs CiscoSecure with the optional DSM module licensed and enabled. For a description of max sessions support available without the DSM module installed, see the "Limited-Feature Max Sessions Support" section. |
If the IP address or name of an existing NAS is not listed, it might already be assigned to another PoP group. A NAS can only be allocated to one PoP group at a time. To deallocate a NAS from another PoP grouping and make it available to the current PoP grouping, carry out the following steps:
Step 2 Locate and select the NAS name or IP address.
|
Note NASes that were added to the PoP through the Free-Form NASes field will not show up in the "NASes in other PoPs" list. |
Step 3 Click Make Available. The IP address or name of the selected NAS now appear available for selection in the Available NASes list.
|
Note This section describes features available if the customer installs CiscoSecure with the optional DSM module licensed and enabled. For a description of max sessions support available without the DSM module installed, see the "Limited-Feature Max Sessions Support" section. |
To delete an existing PoP grouping of NASes, do the following:
Step 2 Click the minus sign for the PoP that you want to delete.
|
Note If the deleted PoP has been bound to users, groups, or VPDNs, the deleted PoP listing will remain on the user's, group's, or VPDN's View Group-PoP Settings or View Member-PoP Settings page, but the deleted PoP listing will be marked with a grayed background and minus the Counter Statistics and Counter Maintenance buttons. |
|
Note This section describes features available if the customer installs CiscoSecure with the optional DSM module licensed and enabled. For a description of max sessions support available without the DSM module installed, see the "Limited-Feature Max Sessions Support" section. |
You can restrict the number of logins which your individual users, group members, or VPDN members can carry out through specific NAS groups, or PoPs, defined by CiscoSecure.
Step 2 Click the appropriate PoP Bindings button: either the Group-PoP Bindings button or the Member-PoP Bindings button.
Step 3 From the PoP List field, select the PoP group that you want bound to the current user, group, or VPDN and click Add PoP Counter.
Step 4 Set the PoP settings for the current user, group, group member, or VPDN. The settings include:
| PoP Setting | Description | ||
|---|---|---|---|
The maximum number of concurrent sessions to allow the current user, group, group membership, or VPDN group to run through the specified PoP group. | |||
DSM Authority Name---The name of the DSM that has authority over this user, group, group membership or VPDN PoP binding. In most cases, the DSM Authority Name for a Group and its Members is the same.
| |||
High Performance Threshold (%)---The percentage of the maximum allowable sessions (allotted to a user, group, group membership, or VPDN group) at which the High Performance shortcut is abandoned and completion of a full max sessions check is required before the current user, group, group membership, or VPDN group can open additional sessions through the specified PoP group. For details on how this setting applies to the current counter object, check the description of the High Performance Threshold (%) setting for that particular object. |
Step 5 Click the pencil icon for the current user, group, or VPDN and make sure that its Unbound PoP Policy field is set to Deny.
|
Note If no PoPs are bound to the current user, or members of the current group or VPDN, then all login attempts will be refused if the Unbound PoP policy is set to Deny. |
|
Note If they do log in through their bound PoPs, the user, group, or VPDN DSM settings for that bound PoP will be applied. |
|
Note This section describes features available if the customer installs CiscoSecure with the optional DSM module licensed and enabled. For a description of max sessions support available without the DSM module installed, see the "Limited-Feature Max Sessions Support" section. |
Whatever the specified values for a subgroup's group max sessions settings might be, the effective number of concurrent allowable sessions in the subgroup is constrained by the group max sessions value of the parent groups above it.
A parent group's group max sessions value sets an effective limit on the combined total number of concurrent sessions that can be opened for the parent group and its subgroups.
Once the combined total of concurrent sessions opened for the parent group and its subgroups reaches the parent group's group max sessions value, no additional sessions are allowed for the parent group or any of its subgroups, even if individual subgroups have not yet reached their individual group max sessions settings limits.
|
Note It is also the total combined concurrent sessions of a parent group and its subgroups that also determines when the Group-Specific High Performance Threshold setting is applied to that parent group. For example, if a parent group has a group max sessions setting of 1000 and a Group-Specific High Performance Threshold setting of 75%, then a combination of 400 open sessions in the parent group and 350 open sessions in one of its subgroups would be enough to cause CiscoSecure ACS to suspend the High Performance login throughput routine for the parent group and apply full max sessions checking to every login request from members of the parent group before authentication. Logins from subgroup members, however, would be subject only to the Group-Specific High Performance setting specified for their particular subgroup. |
The following example illustrates how a parent group's group max sessions setting applies effective controls to the sessions allowed its subgroups:
|
Note This section describes features available if the customer installs CiscoSecure with the optional DSM module licensed and enabled. For a description of max sessions support available without the DSM module installed, see the "Limited-Feature Max Sessions Support" section. |
Normally DSM max sessions settings assigned to groups, subgroups, or individual group members follow the normal CiscoSecure rules and attribute inheritance:
However, you can use the Java-based CiscoSecure Administrator advanced configuration program to assign a group's "Member-Specific" DSM settings "Absolute" status. Absolute status enables the group's "Member-Specific" DSM settings to override most DSM settings assigned to an individual user in that group or any of its subgroups.
Step 2 On the Members tab, deselect the Browse button, select the group whose max sessions settings you want to assign an Absolute status, and click the profile icon.
Step 3 In the Profile pane, select the max sessions attribute to which you want to assign Absolute status and then in the Options menu, select that attribute's Absolute status check box.
| Group-Specific Group Attribute | Assigning this Attribute Absolute Status |
|---|---|
Overrides the conflicting DSM Authority Name setting of any subgroup to the current group. | |
Overrides the conflicting High Performance Threshold setting of any subgroup to the current group. | |
Overrides the conflicting Unbound PoP policy setting of any subgroup to the current group. |
| Member-Specific Group Attribute | Assigning this Attribute Absolute Status |
|---|---|
Overrides the conflicting max sessions setting of any individual member in that group. | |
Overrides the conflicting DSM Authority Name setting of any individual member in that group. | |
Overrides the conflicting High Performance Threshold setting of any individual member in that group. | |
Overrides the conflicting Unbound PoP policy setting of any individual member in that group. |
You can display and reset statistics that have been compiled for your user, group, VPDN, PoP, and Authority DSMs.
|
Note This section describes features available if the customer installs CiscoSecure with the optional DSM module licensed and enabled. For a description of max sessions support available without the DSM module installed, see the "Limited-Feature Max Sessions Support" section. |
DSM statistics inform you of concurrent sessions usage of users, groups or VPDNs.
To display DSM statistics for users, groups, or VPDNs:
Step 2 Click the Counter Statistics button. The counter statistics include:
|
Note This section describes features available if the customer installs CiscoSecure with the optional DSM module licensed and enabled. For a description of max sessions support available without the DSM module installed, see the "Limited-Feature Max Sessions Support" section. |
If your users, groups, or VPDNs are bound to one or more PoPs, PoP-related DSM statistics inform you of concurrent sessions usage by those users, groups or VPDNs through their assigned PoPs.
To display PoP-related DSM statistics for users, groups, or VPDNs that are bound to a PoP:
Step 2 Click the Group-PoP Bindings, or the Member-PoP Bindings button to display the Distributed Session Manager Group-PoP Settings or Distributed Session Manager Member-PoP Settings page.
Step 3 Click the Counter Statistics button for the PoP whose statistics you want to view. The counter statistics include:
|
Note This section describes features available if the customer installs CiscoSecure with the optional DSM module licensed and enabled. For a description of max sessions support available without the DSM module installed, see the "Limited-Feature Max Sessions Support" section. |
You can reset DSM statistics to 0 if you want to measure DSM statistics for a user, group, or VPDN over a specific period of time.
This displays the DSM Group Settings or DSM Member Settings page.
Step 2 Click Counter Statistics to display the DSM statistics page.
|
Note If the user, group, or VPDN is bound to a PoP, and you want to reset the PoP-related statistics, first click the PoP Bindings button and then click the Counter Statistics button on the PoP whose statistics you want to reset. |
Step 3 Click the Reset Group Statistics button.
All DSM statistics except the Current Value setting are reset to 0.
|
Note Even though the DSM statistics are reset to 0, any new DSM events that occur between the time the reset is executed and the statistics are redisplayed will be reflected in the new statistics. |
|
Note This section describes features available if the customer installs CiscoSecure with the optional DSM module licensed and enabled. For a description of max sessions support available without the DSM module installed, see the "Limited-Feature Max Sessions Support" section. |
In case the DSM Current Value count fails to decrement for a user, group, or VPDN, you can reset the Current Value of its distributed sessions count to zero, in order to avoid the distributed sessions counter from refusing login attempts due to a false Current Value count.
Step 2 Click Counter Maintenance to display the DSM statistics page.
|
Note If the user, group, or VPDN is bound to a PoP, and you want to reset the PoP-related sessions counter, first click the PoP Bindings button and then click the Counter Maintenance button on the PoP whose sessions counter you want to reset. |
Step 3 Click the Reset to Zero button.
The Current Value setting is reset to "0."
|
Note Resetting a group counter to 0 only affects the Current Value for that group. The Current Value of any of its parent groups will not decrement; however, resetting a user counter to 0 causes the Current Value of its group and any of its parent groups to decrement by the number of sessions that user was running at the time of the reset. |
|
Note Even though the DSM statistics are reset to 0, any new DSM sessions that occur between the time the reset is executed and the statistics are redisplayed will be reflected in the new Current Value setting. |
|
Note This section describes features available if the customer installs CiscoSecure with the optional DSM module licensed and enabled. For a description of max sessions support available without the DSM module installed, see the "Limited-Feature Max Sessions Support" section. |
In case of system-wide network disruption, it might be necessary to carry out a widespread reset of configured user, group, and VPDN counters in order to prevent massive user lockout. The full-featured DSM-based max sessions package provides a means to reset all users, groups, and VPDNs associated with a single DSM Authority.
|
Caution A DSM Authority-wide reset of DSMs should only be carried out in emergency situations. If numerous users and groups, potentially 100,000 or more, are assigned to a DSM Authority, resetting their counters could take hours and tie up the server's system resources, severely disrupting a production network. |
Step 2 Click the Zero All Counters button and click Yes to the warning and confirmation query "Are you sure?"
The sessions count for all users, groups, and VPDNs on all DSMs associated with the current DSM Authority is set to "0."
If new user, group, or VPDN sessions are started during the reset process, their number will be reflected in the appropriate counters after the DSM Authority-wide reset is complete.
|
Note This section describes features available if the customer installs CiscoSecure with the optional DSM module licensed and enabled. For a description of max sessions support available without the DSM module installed, see the "Limited-Feature Max Sessions Support" section. |
Displaying DSM Authority Statistics allows you to view and list the DSM rejection and oversubscription statistics for all CiscoSecure units (users, groups, and VPDNs) associated with a common DSM Authority.
Step 2 Click to view the desired statistics:
In either case, the record for each object includes the following information:
|
Note This section describes features available if the customer installs CiscoSecure with the optional DSM module licensed and enabled. For a description of max sessions support available without the DSM module installed, see the "Limited-Feature Max Sessions Support" section. |
If you want to view or edit max sessions information for a specific user, group, VPDN or PoP group, you can use the DSM>View option to access that object's DSM information directly without having to browse through the View Groups, View VPDNs, or View Users pages.
This is especially useful if you manage a large profile database and the DSM View Groups, View VPDNs, or View Users pages could list thousands of profiles.
Step 2 In the View page, specify the type of object whose max sessions you want to manage: User, Group, Authority, or PoP.
|
Note A VPDN is either a User type or a Group type, because VPDN objects are simply user or group profiles that have been assigned the protocol (vpdn) attribute. |
Step 3 Enter the name of the DSM object you want to find and click Submit Query.
The DSM settings for the object you specified appear for your editing.
If the customer has installed the CiscoSecure ACS 2.3 for UNIX package that is not licensed for DSM support, some limited user and group level max sessions support is still available if the administrator has selected and enabled the non-Distributed AAA or non-Distributed DBServer option for the Max Sessions Enabled setting in the CiscoSecure Administrator AAA>General web page.
For details on enabling limited AAA server-based or DBServer-based max sessions control, see the "Enabling Max Sessions Control" section.
Without the optional CiscoSecure DSM module licensed or enabled, the system administrator can still use the Java-based CiscoSecure Administrator advanced configuration program to specify max sessions limitations per user and apply this limitation to a single user or to all users in a group; however, the following limitations also apply:
|
Note This section describes operations that support the limited set of max sessions features available if the customer has not installed or enabled the optional CiscoSecure Distributed Sessions Manager (DSM) module. If you have the DSM module installed and enabled, information in this section does not apply. |
Even with limited-feature max sessions support, the system administrator can still configure individual CiscoSecure user max sessions settings:
Step 2 Start the Java-based CiscoSecure Administrator advanced configuration program.
Step 3 In the Members page, clear the Browse check box and select the group or user whose per member sessions you want to limit.
Step 4 In the Profile pane, click the profile icon, then in the Options menu, select Profile Attributes, and click Apply.
Step 5 Back in the Profile pane, Click the Profile Attributes icon, then in the Options menu, select server max-sessions.
Step 6 In the Numeric value field, specify the maximum number of sessions to allow per user (for example, server max-sessions = 9) and click Apply.
Step 7 Click Submit to save the setting:
|
Note Information in this section applies only if you have implemented AAA server-based max sessions checking as described in the "Enabling Max Sessions Control" section. It does not apply if you implemented DBServer-based or DMS-based max sessions control as described in that same section. |
The ms_util tool provides a menu and prompt-driven method for the system administrator to manage a High-Performance, AAA server-based implementation of max sessions checking. Using ms_util, the administrator can browse max sessions information for current active sessions and delete active sessions records from the AAA server-based max sessions counter.
Before executing the delete operations, the system administrator can store the delete commands in an editable file of queued delete commands.
|
Note Information in this section applies only if you have implemented AAA server-based max sessions checking as described in the "Enabling Max Sessions Control" section. It does not apply if you implemented DBServer-based or DMS-based max sessions control as described in that same section. |
To view the max sessions counter records of active sessions:
Go to the $BASEDIR/MaxSessions_utils directory and enter:
./ms_util
Step 2 In the Main menu, select 1 to view the current active sessions.
Step 3 In the View menu, enter the number for one of the following options:
| Number and Option | Description |
|---|---|
1 browse-users | Displays a numbered, alphanumerically ordered list of all active user sessions, by username (10 entries displayed per screen, numbered 0-9). In addition to username each record also includes: NAS, session number, session length, and start time.
|
2 view-user | Displays all the active sessions of a specific user. Enter the name of the user whose sessions you want to view. |
3 browse-nas | Displays a numbered, alphanumerically ordered list of all NASes with active user sessions (maximum 10 entries per screen, numbered 0-9).
|
4 view-nas | Displays all the active sessions of a specific NAS.
|
5 refresh | Updates the current screen of information. |
Step 4 The max sessions counter active sessions records are displayed in a format similar to the following example:
--------------------------------------------------------------------
-Users with active sessions as of Wed Feb 11 10:20:00 1998-
User Nas Session Active Start
0) user100 nas1.com 110 00:11 Wed Feb 11 10:09:00 1998
1) user102 nas1.com 1011 01:15 Wed Feb 11 09:05:12 1998
--------------------------------------------------------------------
The preceding example indicates that user100 logged on to nas1.com at 10:09 a.m. and the session has been active for 11 minutes; user102 logged in at 9:05 a.m. and this session has been active for 1 hour and 15 minutes.
|
Note Information in this section applies only if you have implemented AAA server-based max sessions checking as described in the "Enabling Max Sessions Control" section. It does not apply if you implemented DBServer-based or DMS-based max sessions control as described in that same section. |
To delete the records of active sessions from the AAA server-based max sessions counter:
|
Note The Delete options described here do not actually end active sessions; they merely remove records of current active sessions from the AAA server-based max sessions counter. Use these delete options only in situations where you know sessions have ended but for some reason have not been decremented in the max sessions counter. |
Go to the $BASEDIR/MaxSessions_utils directory and enter:
./ms_util
Step 2 In the Main menu, enter 2 to delete active sessions.
Step 3 In the Delete menu, enter the number for one of these options:
| Number and Option | Description |
|---|---|
1 delete-user | Clears all records in the max sessions counter of current sessions associated with a specific user.
or
|
2 clear-nas | Clears all records in the max sessions counter of current sessions associated with a specific NAS.
or
|
3 clear-all | Clears all records of active sessions from the max sessions counter. The max sessions count of all users is set to zero. |
4 refresh | Updates the current screen of information. |
Step 4 After entering the options in Step 3, press Enter to place your Delete operation in the job request queue. You return to the Main menu.
Step 5 If you have other delete operations to carry out, repeat Steps 2, 3, and 4.
Step 6 After specifying all the Delete operations you want carried out, enter 6 in the Main menu to execute the Delete commands in your job queue.
|
Note Placing all your Delete operations in a queue and executing them at once saves processing time on the AAA server. |
|
Note Information in this section applies only if you have implemented AAA server-based max sessions checking as described in the "Enabling Max Sessions Control" section. It does not apply if you implemented DBServer-based or DMS-based max sessions control as described in that same section. |
You can add switches to the ./ms_util command-line string and carry out the delete operations described in "Deleting Active Sessions Records" in command-line mode.
|
Note The Delete operations described here do not actually end active sessions; they merely remove records of current active sessions from the AAA server-based max sessions counter. Use these delete operations only in situations where you know sessions have ended but for some reason have not been decremented in the max sessions counter. |
If you want to carry out ms_util deletions in command-line mode, the syntax is:
./ms_util [-u user_id, nas _id, session_id][-n nas_id] [-e]
The command-line switch options and parameters are explained in Table 7-10.
| Switch | Description |
|---|---|
| -u | Deletes one specified record of an active session in the max sessions counter associated with a specific user. The -u switch is specified with the following parameters: ./ms_util -u user_id, nas_id, session_idwhere:
To delete session 103 of user john from NAS ciscoNAS, enter: ./ms_util -u john,ciscoNAS,103 |
| -n | Deletes all records of active sessions in the max sessions counter associated with a specific NAS. The -n switch is specified with the following parameter: ./ms_util -n nas_idwhere nas_id is the name of the NAS whose active session records you want to delete from the max sessions counter. For example: To clear all sessions from NAS ciscoNAS, enter: ./ms_util -n ciscoNAS |
| -e | Deletes all records of active sessions from the max sessions counter. The max sessions count of all users is set to zero. For example: To clear the entire max sessions counter, enter: ./ms_util -e |
|
Note Information in this section applies only if you have implemented AAA server-based max sessions checking as described in the "Enabling Max Sessions Control" section. It does not apply if you implemented DBServer-based or DMS-based max sessions control as described in that same section. |
Multiple delete operations can be specified on a single ms_util command-line. For example, the following ms_util command-line will delete session 103 of user john from NAS ciscoNAS, session 104 of user joe from NAS nasTWO, and clear all sessions from NAS nasTHREE:
./ms_util -u john,ciscoNAS,103 -u joe,nasTWO,104 -n nasTHREE
This is more efficient than running ms_util three times to perform the three deletes.
Cisco strongly recommends using the Max Sessions Enabled field in the CiscoSecure Administrator AAA General web page to enable or disable the various types of max sessions control as described in Chapter 6, "Limiting and Tracking Sessions Per User, Group, or VPDN" in the CiscoSecure ACS 2.3 for UNIX User Guide.
Alternatively, if you do not have access to a web browser, you can enable or disable max sessions control by editing the CSU.cfg and CSConfig.ini configuration files. In the $BASEDIR/config directory of your CiscoSecure ACS for UNIX server, edit your CSU.cfg and CSConfig.ini files as specified in Table 7-11 to enable the DSM or other supported types of max sessions control.
|
Caution If you edit the CSU.cfg and CSConfig.ini files, make sure that when you enable one type of max sessions control that you also disable all other types of max sessions control. Enabling the settings for one type of max sessions control in Table 7-11 without disabling the settings for the other types of max sessions control can cause extremely slow authentication performance and out-of-memory errors. |
| Enabling this Type of Max Sessions: | Requires These CSU.cfg Settings: | And Requires These CSConfig.ini Settings: |
|---|---|---|
None (all max sessions control disabled) |
These settings disable AAA1 server and DSM max sessions control. |
These settings disable DBServer-based max sessions control. |
Distributed Session Manager (DSM)2 |
These settings disable AAA server-based max sessions control and enable the DSM. |
These settings disable DBServer-based max sessions control. |
DBServer-based max sessions control |
These settings disable AAA server-based max sessions control and the DSM. |
These settings enable DBServer-based max sessions control. |
AAA server-based max sessions control |
These settings enable AAA server-based max sessions control and disable the DSM. |
These settings disable DBServer-based max sessions control. |
Step 7 After making the above settings, stop and restart CiscoSecure ACS to make sure that all the above settings take effect:
|
Note All forms of max sessions control require that the AAA accounting functions be enabled in the client NASes. |
Posted: Sun Apr 2 16:15:14 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.