|
|
Max sessions settings enable the system or group administrator to limit the number of concurrent sessions that can be opened per user, group, or VPDN through the network or through a specific point-of-presence (PoP) grouping of NASes.
CiscoSecure ACS 2.3 for UNIX can support the optional Distributed Session Manager (DSM) module if it is licensed and enabled; or it can provide its own limited-feature max sessions support.
After you have installed the CiscoSecure ACS, use the CiscoSecure Administrator AAA>General web page to enable the type of max sessions control to carry out.
Step 2 Stop and restart the CiscoSecure ACS in order for your new max sessions control selection to take effect.
(a) Log in as [Root] to the SPARCStation where you installed CiscoSecure ACS. To stop the ACS enter:
# /etc/rc0.d/K80CiscoSecure
(b) To restart the CiscoSecure ACS, enter:
# /etc/rc2.d/S80CiscoSecure
 | Caution If accounting information is still being written when the /etc/rc0.d/K80CiscoSecure script is invoked to stop the ACS, the DBServer module of the ACS will not shut down until it finishes writing all accounting information to the RDBMS. This process might take as long as 10 minutes. Do not attempt to shut down the DBServer by other means during this process. Loss of accounting data might result. |
With the CiscoSecure DSM module installed and enabled, the CiscoSecure system Administrator can use the DSM menu option in the CiscoSecure ACS 2.3 Administrator web pages to carry out the following operations:
 | Caution DSM-based sessions management cannot be implemented for members of VPDNs set up to use the Cisco IOS Release11.3 dial-in number information service (DNIS) feature. |
Before you attempt to configure DSM max sessions control, make sure that you have implemented the following CiscoSecure installation and post-installation requirements:
In the CiscoSecure ACS 2.3 for UNIX release, a DSM authority is synonymous with the Distributed Session Manager that you want to handle the session managers for a CiscoSecure group, user, or VPDN.
Before you configure DSM settings for groups, users, or VPDNs, you will need to create a DSM authority. Then, when you set up DSM settings for your CiscoSecure groups, users, or VPDNs, you assign this or some other DSM authority to carry out those settings.
Step 1 Using the CiscoSecure ACS 2.3 Administrator web page, select DSM>Authorities.
Step 2 If you want to Edit an existing DSM Authority, click the pencil icon for that DSM Authority.
Step 3 If you want to create a new DSM Authority, click Add Distributed Session Manager Authority, and in the DSM Authority Name field, enter a name of your choosing and click Add.
Step 4 On the Distributed Session Manager Edit Authority page, select or enter the appropriate settings:
Step 5 When you are finished with your settings, click Update to confirm the Distributed Session Manager server setting.
To delete an existing DSM Authority, do the following:
Step 1 Using the CiscoSecure ACS 2.3 Administrator web page, select DSM>Authorities to display the Distributed Session Manager Authorities page.
Step 2 Click the minus sign for the DSM Authority that you want to delete.
When a DSM authority is established, you can configure max sessions settings to apply to every CiscoSecure user, group, or VPDN in the CiscoSecure profile database.
The DSM>Counters option allows you to browse for and select the user, group, and VPDN objects on the network whose DSM statistics you want to view or whose DSM settings you want to configure.
Step 1 Click the DSM>Counters menu option to display the Distributed Session Manager - View Counters page.
Step 2 Click the appropriate button:
| Caution If a large number of user and group profiles exist, displaying them all on a single page might take a long time and the resulting HTML page might force an out-of-memory error in the browser. If the items you want to browse are group or user profiles, it might be better to use the DSM>View option to search for a specific group or user instead. |
Step 3 Locate the user, group, or VPDN object whose DSM statistics or DSM settings you want to view or modify:
To avoid having to display and browsing all the users, or all the groups, or all the VPDNs on a network, you can use the DSM>Counters option to first select a group and then browse just the users, subgroups, or VPDNs belonging to that group.
Step 1 Click the DSM>Counters menu option to display the Distributed Session Manager - View Counters page.
Step 2 Click the Groups button.
Step 3 Locate and click the name of the group whose users, VPDNs, or subgroups you want to browse.
This displays the Distributed Session Manager - View Group Settings page for that group.
Step 4 Locate the View Members box on this page and click the appropriate button:
| Caution If a large number of user and subgroup profiles exist for the current group, displaying them all on a single page might take a long time and the resulting HTML page might force an out-of-memory error in the browser. If the items you want to browse are group or user profiles, it might be better to use the DSM>View option to search for a specific group or user instead. |
Step 5 Locate the user, group, or VPDN object whose DSM statistics or DSM settings you want to view or modify.
The DSM Member Settings page enables you to restrict concurrent sessions for an individual user. To edit individual CiscoSecure user DSM settings:
Step 1 Click the DSM>Counters menu option to display the Distributed Session Manager - View Counters page.
Step 2 Click the Users button.
Step 3 Locate the user whose max sessions settings you want to edit. If necessary, click the Show More or Show All button.
Step 4 After locating the user, click the pencil icon to display the Distributed Session Manager Member Settings page.
Step 5 Edit the settings.
| User Setting | Description |
|---|---|
Max Sessions | |
The name of the Distributed Session Manager that has authority over the current user. In most cases, the DSM Authority Name for a CiscoSecure user is the Distributed Session Manager at the ACS. Note If the DSM Authority assigned to this field is subsequently deleted from the Distributed Session Manager Authorities page, it will still be listed in this field but marked as "invalid" until a valid DSM Authority is assigned to this field. | |
High Performance Threshold (%) | The point at which full completion of a max sessions check is required before the current user can open additional sessions. High performance login throughput is enabled by a shortcut routine that allows the current user to open a session even before that user's max sessions check is fully completed at the DSM; however, if the percentage of sessions already opened in relation to the sessions allowed goes above the percentage specified in this field, the shortcut routine is suspended and full max sessions checking is required before the user can open a new session. For example, if the max sessions setting for the current user is 4 and the high performance threshold is set to 75% then the high performance shortcut routine is suspended for this user after this user opens three concurrent sessions.1 |
Unbound PoP Policy---Whether to permit or deny dial-in user access if the user is logging in through an unbound PoP group. For details on PoP binding see the "Restricting Sessions by PoP Group" section. |
The DSM Edit Group Settings page enables you to limit the total combined concurrent sessions to allow a group and to limit the concurrent sessions to allow to each member of that group. To edit the Group DSM settings:
Step 1 Click the DSM>Counters menu option to display the Distributed Session Manager - View Counters page.
Step 2 Click the Groups button.
Step 3 Locate the group whose DSM settings you want to edit. If necessary, click the Show More or Show All button.
Step 4 After locating the group, click the pencil icon to display the Distributed Session Manager Edit Group Settings window.
Step 5 Edit the Group-Specific settings.
Group-Specific settings restrict the total combined sessions allowed to the members and subgroups of a CiscoSecure group as a whole. They include:
| Group-Specific Setting | Description |
|---|---|
This is the maximum number of total combined sessions to allot to this group of users and users in any of its subgroups. If the total number of concurrent sessions opened by users in this group and of any of its subgroups reaches the number specified in this field, CiscoSecure denies additional login sessions to members of this group or any of its subgroups. Note The group max sessions setting for a parent group sets an absolute maximum limit on the sessions opened by any of its subgroups. Even if the combined group max sessions settings for its subgroups exceed the max sessions setting of the parent group, the total combined concurrent sessions allowed for the parent group and its subgroups cannot exceed the group max sessions setting specified for the parent. See the "Applying Effective Parent Group Max Sessions Settings to Subgroups" section for details. | |
This is the name of the Distributed Session Manager that has authority over this group. Note If the DSM Authority assigned to this field is subsequently deleted from the Distributed Session Manager Authorities page, it will still be listed in this field but marked as "invalid" until a valid Distributed Session Manager Authority is assigned to this field. | |
The point at which full completion of a max sessions check is required before members of this group can open additional sessions. Group high performance login throughput is enabled by a shortcut routine that allows the members of the current group to open a session even before that group's max sessions check is fully completed; however, if the percentage of sessions already opened in relation to the sessions allowed goes above the percentage specified in this field, the shortcut routine is suspended and full group max sessions checking is required before any member of this group can open new sessions. For example, if the group max sessions setting for the current group is 400 and the high performance threshold is set to 75% then the high performance shortcut routine is suspended for this group after its users and users in any of its subgroups open a combined total of 300 concurrent sessions.1 Note When the High Performance Threshold is set for a parent group is reached by the total combined logins of the parent group and its subgroups, the high performance authentication shortcut routine is suspended for members of the parent group. | |
Unbound PoP Policy | Whether to permit or deny dial-in user access if the group member is logging in through an unbound PoP group. For details on PoP binding see the "Restricting Sessions by PoP Group" section. |
Step 6 Edit the Member-Specific group settings.
Member-Specific settings are global DSM settings that restrict the concurrent sessions allowed each member of a group.
| Member-Specific Setting | Description |
|---|---|
The maximum number of concurrent sessions to allot to any one user within the current CiscoSecure group. You can use this setting to ensure against any one user using a disproportionate number of sessions that have been allotted to the entire group. | |
The name of the Distributed Session Manager that has authority over this user. In most cases, the DSM Authority Name for Group and its Members is the same. Note If the DSM Authority assigned to this field is subsequently deleted from the Distributed Session Manager Authorities page, it will still be listed in this field but marked as "invalid" until a valid DSM Authority is assigned to this field. | |
The point at which full completion of a max sessions check is required before each individual member of the current group can open additional sessions. High performance login throughput is enabled by a shortcut routine that allows the a user of the current group to open a session even before that user's max sessions check is fully completed; however, if the percentage of sessions already opened for a user in relation to the sessions allowed goes above the percentage specified in this field, the shortcut routine is suspended and full max sessions checking is required before that user can open a new session. For example, if the member max sessions setting for the current group is 4 and the high performance threshold is set to 75% then the high performance shortcut routine is suspended for a user in this group after that user opens 3 concurrent sessions.1 | |
Whether to permit or deny dial-in user access if the group member is logging in through an unbound PoP group. For details on PoP binding see the "Restricting Sessions by PoP Group" section. |
A CiscoSecure virtual private dial-up network (VPDN) object is a CiscoSecure user profile specially configured as a VPDN name that members of that VPDN can attach to their personal login names when dialing in through a remote ISP-run NAS and have their login requests tunneled for authentication to their VPDN's home gateway NAS and ACS.
To edit VPDN DSM settings:
Step 1 Click the DSM>Counters menu option to display the Distributed Session Manager - View Counters page.
Step 2 Click the VPDNs button.
Step 3 Locate the VPDN object whose max sessions settings you want to edit. If necessary, click the Show More or Show All button.
Step 4 After locating the VPDN object, click the pencil icon to display the Distributed Session Manager Edit VPDN Settings window.
Edit the settings.
| VPDN Setting | Description |
|---|---|
This is the maximum number of sessions to allot to this VPDN. If the number of concurrent sessions specified in this field is reached, CiscoSecure denies login sessions to other members of this VPDN. | |
This is the name of the Distributed Session Manager that has authority over this VPDN. Note If the DSM Authority assigned to this field is subsequently deleted from the Distributed Session Manager Authorities page, it will still be listed in this field but marked as "invalid" until a valid DSM Authority is assigned to this field. | |
The point at which full completion of a max sessions check is required before members of this VPDN can open additional sessions. VPDN high performance login throughput is enabled by a shortcut routine that allows the members of the current VPDN to open a session even before that VPDN's max sessions check is fully completed; however, if the percentage of sessions already opened in relation to the sessions allowed goes above the percentage specified in this field, the shortcut routine is suspended and full VPDN max sessions checking is required before any member of this VPDN can open new sessions. For example, if the max sessions setting for the current VPDN is 400 and the high performance threshold is set to 75% then the high performance shortcut routine is suspended for this VPDN after its users open 300 concurrent sessions.1 | |
Whether to permit or deny dial-in user access if the VPDN member is logging in through an unbound PoP group. For details on PoP binding see the "Restricting Sessions by PoP Group" section. |
The CiscoSecure DSM module allows you to organize your NASes into logical PoP groups and then restrict the number of sessions that can be opened for a specified CiscoSecure user, group, or VPDN through that PoP.
For example, you can group NASes, NAS_A, NAS_B, and NAS_C into one logical PoP, PoP_1, then you can assign, or "bind" Group_a to this PoP, restricting the total combined number of concurrent sessions that can be opened by members of this group through this PoP, and also restricting, if you so choose, the members of Group_a to dialing in only through the NASes assigned to PoP_1. You can apply these PoP-related resrictions to individual users, and members of a VPDN also.
The DSM module of CiscoSecure ACS 2.3 for UNIX allows you to include one or more dial-in NASes in a PoP group.
Step 1 Click the DSM>PoPs menu option to display the PoPs page, then display the Distributed Session Manager Edit PoP Definition page as follows:
Step 2 Use the Distributed Session Manager Edit PoP Definition page as follows:
| Caution When using the Free-Form NASes field, you must observe several important precautions. See the "Adding Unlisted TACACS+ NASes to a PoP Definition" section for instructions and precautions to observe when using the Free-Form NASes field. |
If a TACACS+ NAS has not been added as a client to this ACS configuration through the AAA>NAS option in the CiscoSecure ACS 2.3 Administrator web pages, it will not be listed in any PoP's "Available NASes" or "NASes in PoP" lists.
However, you can still use the "Free-Form NASes" field to add an unlisted TACACS+ NAS to a PoP definition:
Step 1 Click the DSM>PoPs menu option to display the PoPs page, then display the Distributed Session Manager Edit PoP Definition page as follows:
Step 2 In the Distributed Session Manager PoP Definition page, enter the FQDN or the IP address of the NAS that you want to add in the Free-Form NASes field, but observe the following important precautions:
Step 3 Click the Add Unlisted NAS button.
The specified NAS will appear in brackets in the "NASes in PoP" list.
If the IP address or name of an existing NAS is not listed, it might already be assigned to another PoP group. A NAS can only be allocated to one PoP group at a time. To deallocate a NAS from another PoP grouping and make it available to the current PoP grouping, carry out the following steps:
Step 1 In the Distributed Session Manager PoP Definition page, click Deallocate NAS to display a list labeled "NASes in other PoPs."
Step 2 Locate and select the NAS name or IP address.
Step 3 Click the Make Available button.
The IP address or name of the selected NAS will now appear available for selection in the Available NASes list.
To delete an existing PoP grouping of NASes, do the following:
Step 1 Using the CiscoSecure ACS 2.3 Administrator web page, select DSM>PoPs.
Step 2 Click the minus sign for the PoP that you want to delete.
You can restrict the number of logins which your individual users, group members, or VPDN members can carry out through specific NAS groups, or PoPs, defined by CiscoSecure.
Step 1 Click the DSM>Counters menu option, click Users, Groups, or VPDNs, then click the user, group, or VPDN whose log in you want to restrict by PoP group.
Step 2 Click the appropriate PoP Bindings button: either the Group-PoP Bindings button or the Member-PoP Bindings button.
Step 3 From the PoP List field, select the PoP group that you want bound to the current user, group, or VPDN and click Add PoP Counter.
Step 4 Set the PoP settings for the current user, group, group member, or VPDN. The settings include:
| PoP Setting | Description |
|---|---|
The maximum number of concurrent sessions to allow the current user, group, group membership, or VPDN group to run through the specified PoP group. | |
DSM Authority Name---The name of the Distributed Session Manager that has authority over this user, group, group membership or VPDN PoP binding. In most cases, the DSM Authority Name for a Group and its Members is the same. Note If the DSM Authority assigned to this field is subsequently deleted from the Distributed Session Manager Authorities page, it will still be listed in this field but marked as "invalid" until a valid Distributed Session Manager Authority is assigned to this field. | |
High Performance Threshold (%)---The percentage of the maximum allowable sessions (allotted to a user, group, group membership, or VPDN group) at which the High Performance shortcut is abandoned and completion of a full max sessions check is required before the current user, group, group membership, or VPDN group can open additional sessions through the specified PoP group. For details on how this setting applies to the current counter object, check the description of the High Performance Threshold (%) setting for that particular object. |
Step 5 Click the pencil icon for the current user, group, or VPDN and make sure that its Unbound PoP Policy field is set to Deny.
Whatever the specified values for a subgroup's group max sessions settings might be, the effective number of concurrent allowable sessions in the subgroup is constrained by the group max sessions value of the parent groups above it.
A parent group's group max sessions value sets an effective limit on the combined total number of concurrent sessions that can be opened for the parent group and its subgroups.
Once the combined total of concurrent sessions opened for the parent group and its subgroups reaches the parent group's group max sessions value, no additional sessions are allowed for the parent group or any of its subgroups, even if individual subgroups have not yet reached their individual group max sessions settings limits.
The following example illustrates how a parent group's group max sessions setting applies effective controls to the sessions allowed its subgroups:
Normally DSM max sessions settings assigned to groups, subgroups, or individual group members follow the normal CiscoSecure rules and attribute inheritance:
However, you can use the Java-based CiscoSecure Administrator advanced configuration program to assign a group's "Member-Specific" DSM settings "Absolute" status. Absolute status enables the group's "Member-Specific" DSM settings to override most DSM settings assigned to an individual user in that group or any of its subgroups.
Step 1 After you have assigned a group or VPDN "Member-Specific" max sessions settings through the DSM option of the CiscoSecure ACS 2.3 Administrator web pages, click the Advanced tab and start the Java-based CiscoSecure Administrator advanced configuration program.
Step 2 On the Members tab, deselect the Browse button, select the group whose max sessions settings you want to assign an Absolute status, and click the profile icon.
Step 3 In the Profile pane, select the max sessions attribute to which you want to assign Absolute status and then in the Options menu, select that attribute's Absolute status check box.
| Group-Specific Group Attribute | Assigning this Attribute Absolute Status |
|---|---|
Overrides the conflicting DSM Authority Name setting of any subgroup to the current group. | |
Overrides the conflicting High Performance Threshold setting of any subgroup to the current group. | |
Overrides the conflicting Unbound PoP policy setting of any subgroup to the current group. |
| Member-Specific Group Attribute | Assigning this Attribute Absolute Status |
|---|---|
Overrides the conflicting max sessions setting of any individual member in that group. | |
Overrides the conflicting DSM Authority Name setting of any individual member in that group. | |
Overrides the conflicting High Performance Threshold setting of any individual member in that group. | |
Overrides the conflicting Unbound PoP policy setting of any individual member in that group. |
You can display and reset statistics that have been compiled for your user, group, VPDN, PoP, and Authority Distributed Session Managers.
Distributed Session manager statistics inform you of concurrent sessions usage of users, groups or VPDNs.
To display Distributed Session Manager statistics for users, groups, or VPDNs:
Step 1 Click the DSM>Counters menu option, click Users, Groups, or VPDNs, then click the user, group, or VPDN whose Distributed Session Manager statistics you want to display.
Step 2 Click the Counter Statistics button. The counter statistics include:
If your users, groups, or VPDNs are bound to one or more PoPs, PoP-related DSM statistics inform you of concurrent sessions usage by those users, groups or VPDNs through their assigned PoPs.
To display PoP-related DSM statistics for users, groups, or VPDNs that are bound to a PoP, do the following:
Step 1 Click the DSM>Counters menu option, click Users, Groups, or VPDNs, then click the user, group, or VPDN whose PoP-related Distributed Session Manager statistics you want to display.
Step 2 Click the Group-PoP Bindings, or the Member-PoP Bindings button to display the Distributed Session Manager Group-PoP Settings or Distributed Session Manager Member-PoP Settings page.
Step 3 Click the Counter Statistics button for the PoP whose statistics you want to view. The counter statistics include:
You can reset DSM statistics to 0 if you want to measure Distributed Session Manager statistics for a user, group, or VPDN over a specific period of time.
Step 1 Click the DSM>Counters menu option, click Users, Groups, or VPDNs, then click the user, group, or VPDN whose Distributed Session Manager statistics you want to reset.
This displays the Distributed Session Manager Group Settings or Distributed Session manager Member Settings page.
Step 2 Click Counter Statistics to display the Distributed Session Manager statistics page.
Step 3 Click the Reset Group Statistics button.
All Distributed Session Manager statistics except the Current Value setting are reset to 0.
In case the Distributed Session Manager Current Value count fails to decrement for a user, group, or VPDN, you can reset the Current Value of its distributed sessions count to zero, in order to avoid the distributed sessions counter from refusing login attempts due to a false Current Value count.
Step 1 Click the DSM>Counters menu option, click Users, Groups, or VPDNs, then click the user, group, or VPDN whose session manager you want to reset.
Step 2 Click Counter Maintenance to display the Distributed Session Manager statistics page.
Step 3 Click the Reset to Zero button.
The Current Value setting is reset to "0."
In case of system-wide network disruption, it might be necessary to carry out a widespread reset of configured user, group, and VPDN counters in order to prevent massive user lockout. The full-featured DSM-based max sessions package provides a means to reset all users, groups, and VPDNs associated with a single DSM Authority.
| Caution A DSM Authority-wide reset of Distributed Session Managers should only be carried out in emergency situations. If numerous users and groups, potentially 100,000 or more, are assigned to a DSM Authority, resetting their counters could take hours and tie up the server's system resources, severely disrupting a production network. |
Step 1 Click the DSM>Authorities menu option and click the DSM Authority whose assigned user, group, VPDN, and PoP counters you need to reset.
Step 2 Click the Zero All Counters button and click Yes to the warning and confirmation query "Are you sure?"
The sessions count for all users, groups, and VPDNs on all Distributed Session Managers associated with the current DSM Authority is set to "0."
If new user, group, or VPDN sessions are started during the reset process, their number will be reflected in the appropriate counters after the DSM Authority-wide reset is complete.
Displaying Distributed Session Manager Authority Statistics allows you to view and list the Distributed Session Manager rejection and oversubscription statistics for all CiscoSecure units (users, groups, and VPDNs) associated with a common DSM Authority.
Step 1 Click the DSM>Authorities menu option to display the existing Distributed Session Manager Authorities, then click the desired Authority.
Step 2 Click to view the desired statistics:
In either case, the record for each object includes the following information:
If you want to view or edit max sessions information for a specific user, group, VPDN or PoP group, you can use the DSM>View option to access that object's Distributed Session Manager information directly without having to browse through the View Groups, View VPDNs, or View Users pages.
This is especially useful if you manage a large profile database and the DSM View Groups, View VPDNs, or View Users pages could list thousands of profiles.
Step 1 Click the DSM>View menu option to display the View page.
Step 2 In the View page specify the type of object whose max sessions you want to manage: User, Group, Authority, or PoP.
Step 3 Enter the name of the Distributed Session Manager object you want to find and click Submit Query.
The Distributed Session Manager settings for the object you specified appear for your editing.
If the customer has installed the CiscoSecure ACS 2.3 for UNIX package that is not licensed for DSM support, some limited user and group level max sessions support is still available if the administrator has selected and enabled the non-Distributed AAA or non-Distributed DBServer option for the Max Sessions Enabled setting in the CiscoSecure Administrator AAA>General web page.
For details on enabling limited AAA server-based or DBServer-based max sessions control, see the "Enabling Max Sessions Control" section.
Without the optional CiscoSecure DSM module licensed or enabled, the system administrator can still use the Java-based CiscoSecure Administrator advanced configuration program to specify max sessions limitations per user and apply this limitation to a single user or to all users in a group; however, the following limitations also apply:
Even with limited-feature max sessions support, the system administrator can still configure individual CiscoSecure user max sessions settings:
Step 1 Make sure that the Max Sessions Enabled field in the CiscoSecure Administrator AAA>General web page is set to either non-Distributed AAA or non-Distributed DBServer.
Step 2 Start the Java-based CiscoSecure Administrator advanced configuration program.
Step 3 In the Members page, clear the Browse check box and select the group or user whose per member sessions you want to limit.
Step 4 In the Profile pane, click the profile icon, then in the Options menu, select Profile Attributes, and click Apply.
Step 5 Back in the Profile pane, Click the Profile Attributes icon, then in the Options menu, select server max-sessions.
Step 6 In the Numeric value field, specify the maximum number of sessions to allow per user (for example, server max-sessions = 9) and click Apply.
Step 7 Click Submit to save the setting:
The ms_util tool provides a menu and prompt-driven method for the system administrator to manage a High-Performance, AAA server-based implementation of max sessions checking. Using ms_util, the administrator can browse max sessions information for current active sessions and delete active sessions records from the AAA server-based max sessions counter.
Before executing the delete operations, the system administrator can store the delete commands in an editable file of queued delete commands.
To view the max sessions counter records of active sessions, do as follows:
Step 1 Start the ms_util utility.
Go to the $BASEDIR/MaxSessions_utils directory and enter:
Step 2 In the Main menu, select 1 to view the current active sessions.
Step 3 In the View menu, enter the number for one of the following options:
| Number & Option | Description |
|---|---|
1 browse-users | Displays a numbered, alphanumerically ordered list of all active user sessions, by username (10 entries displayed per screen, numbered 0-9). In addition to username each record also includes: NAS, session number, session length, and start time.
|
2 view-user | Displays all the active sessions of a specific user. Enter the name of the user whose sessions you want to view. |
3 browse-nas | Displays a numbered, alphanumerically ordered list of all NASes with active user sessions (maximum 10 entries per screen, numbered 0-9).
|
4 view-nas | Displays all the active sessions of a specific NAS.
|
5 refresh | Updates the current screen of information. |
Step 4 The max sessions counter active sessions records are displayed in a format similar to the following example:
--------------------------------------------------------------------
-Users with active sessions as of Wed Feb 11 10:20:00 1998-
User Nas Session Active Start
0) user100 nas1.com 110 00:11 Wed Feb 11 10:09:00 1998
1) user102 nas1.com 1011 01:15 Wed Feb 11 09:05:12 1998
--------------------------------------------------------------------
The preceding example indicates that user100 logged on to nas1.com at 10:09 a.m. and the session has been active for 11 minutes; user102 logged in at 9:05 a.m. and this session has been active for 1 hour and 15 minutes.
To delete the records of active sessions from the AAA server-based max sessions counter, follow these steps:
Step 1 Start the ms_util utility.
Go to the $BASEDIR/MaxSessions_utils directory and enter:
Step 2 In the Main menu, enter 2 to delete active sessions.
Step 3 In the Delete menu, enter the number for one of the following options:
| Number & Option | Description |
|---|---|
1 delete-user | Clears all records in the max sessions counter of current sessions associated with a specific user.
or
|
2 clear-nas | Clears all records in the max sessions counter of current sessions associated with a specific NAS.
or
|
3 clear-all | Clears all records of active sessions from the max sessions counter. The max sessions count of all users is set to zero. |
4 refresh | Updates the current screen of information. |
Step 4 After entering the options in Step 3, press Enter to place your Delete operation in the job request queue. You return to the Main menu.
Step 5 If you have other delete operations to carry out, repeat Steps 2, 3, and 4.
Step 6 After specifying all the Delete operations you want carried out, enter 6 in the Main menu to execute the Delete commands in your job queue.
You can add switches to the ./ms_util command-line string and carry out the delete operations described in "Deleting Active Sessions Records" in command-line mode.
If you want to carry out ms_util deletions in command-line mode, the syntax is:
./ms_util [-u user_id, nas _id,
session_id] [-n nas_id] [-e]
The command-line switch options and parameters are explained in the following table.
| Switch | Description |
|---|---|
| -u | Deletes one specified record of an active session in the max sessions counter associated with a specific user. The -u switch is specified with the following parameters: ./ms_util -u user_id, nas_id, session_idwhere:
Example:
./ms_util -u john,ciscoNAS,103 |
| -n | Deletes all records of active sessions in the max sessions counter associated with a specific NAS. The -n switch is specified with the following parameter: ./ms_util -n nas_idwhere nas_id is the name of the NAS whose active session records you want to delete from the max sessions counter. Example: To clear all sessions from NAS ciscoNAS, enter: ./ms_util -n ciscoNAS |
| -e | Deletes all records of active sessions from the max sessions counter. The max sessions count of all users is set to zero. Example: To clear the entire max sessions counter, enter: ./ms_util -e |
Multiple delete operations can be specified on a single ms_util command-line. For example, the following ms_util command-line will delete session 103 of user john from NAS ciscoNAS, session 104 of user joe from NAS nasTWO, and clear all sessions from NAS nasTHREE:
./ms_util -u john,ciscoNAS,103 -u joe,nasTWO,104 -n nasTHREE
This is more efficient than running ms_util 3 times to perform the 3 deletes.
|
|