cc/td/doc/product/access/acs_soft/cs_unx
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table Of Contents

Limiting and Tracking Sessions Per User, Group, or VPDN

Enabling Max Sessions Control

Group Max Sessions

Overview of DSM Operations

Summary of DSM Implementation Requirements

Establishing a DSM Authority

Creating or Editing a DSM Authority

Deleting a DSM Authority

Configuring DSM Settings

Browsing the DSM User, Group, or VPDN Counters

Browsing the DSM User, Group, or VPDN Counters by Group

Configuring DSM User Settings

Configuring DSM Group Settings

Configuring DSM VPDN Settings

Restricting Sessions by PoP Group

Creating or Editing a PoP Group

Deleting a PoP

Restricting User, Group, or VPDN Sessions by PoP Group

Applying Effective Parent Group Max Sessions Settings to Subgroups

Example of Parent Max Sessions Settings and Effective Subgroup Limits

Applying Group DSM Overrides

Displaying and Resetting DSM Statistics

Displaying DSM Statistics for Users, Groups, and VPDNs

Displaying PoP-Related DSM Statistics

Resetting DSM Statistics for a User, Group, or VPDN

Resetting the Distributed Sessions Counter for Users, Groups, or VPDNs

Resetting DSMs for a DSM Authority

Displaying DSM Authority Statistics

Quickly Finding and Viewing DSM Information for a Specific User, Group, VPDN, or PoP

Limited-Feature Max Sessions Support

Limitations of Non-DSM-based Max Sessions Management

Assigning a Limited-Feature Max Sessions Limit

Managing High-Performance Max Sessions Checking through ms_util


Limiting and Tracking Sessions Per User, Group, or VPDN


Max sessions settings enable the system or group administrator to limit the number of concurrent sessions that can be opened per user, group, or VPDN through the network or through a specific point-of-presence (PoP) grouping of NASes.

CiscoSecure ACS 2.3 for UNIX can support the optional DSM module if it is licensed and enabled; or it can provide its own limited-feature max sessions support.

If you installed the optional CiscoSecure DSM module (through the packages labeled CiscoSecure ACS for UNIX with Distributed Session Manager or CiscoSecure ACS Distributed Session Manager Option)—The DSM features enable the system administrator to limit the number of concurrent sessions that are available to a specific user, group, or VPDN. This module also gives the system administrator the ability to monitor and reset statistics associated with this sessions limitation.

Imposing a maximum sessions limitation per group, per user, or per VPDN enables the system administrator to ensure against one user or group of users from consuming a disproportionate amount of network connections. See the "Overview of DSM Operations" section for a summary of DSM capabilities.

If you installed the CiscoSecure package without the licensed DSM module—Limited CiscoSecure max sessions support still enables you to assign an individual user max sessions limit to a single user or assign an individual user max sessions limit to a group of users. You can enable one of two types of non-DSM max sessions control:

AAA server-based max sessions control for faster max sessions control routine.

DBServer-based max sessions control for more reliable max sessions control routine—One that maintains user open session counts even if the ACS is stopped and restarted.

See the "Limited-Feature Max Sessions Support" section for a description of non-DSM max sessions support.

If you have not yet enabled a specific type of max sessions control, use the CiscoSecure Administrator AAA>General web page to do so. See the "Enabling Max Sessions Control" section.

Enabling Max Sessions Control

After you have installed the CiscoSecure ACS, use the CiscoSecure Administrator AAA>General web page to enable the type of max sessions control to carry out.


Step 1 Locate Max Sessions Enabled field in the CiscoSecure Administrator AAA>General web page and select the type of max sessions control that you want enabled for this ACS. Max Sessions Enabled selections are:

None—Disables all maximum sessions controls. You can use this setting to temporarily disable all max sessions controls without having to undo max sessions settings in all your individual profiles.

Non-Distributed AAA—Enables limited feature AAA server-based Max Sessions control—Sacrifices max sessions checking persistence in favor of speed. In event of a CiscoSecure shutdown, the max sessions counts for individual users will not be preserved. When the CiscoSecure ACS is restarted, all max sessions counts will restart at zero.

Non-Distributed DBServer (the default selection)—Enables limited feature DBServer-based max sessions control. Ensures max sessions count reliability at the expense of max sessions checking speed.

This mode preserves the current max sessions count of your users in event of a CiscoSecure shutdown by writing records of the session counts to the CiscoSecure profile database.

If you configure this type of max sessions checking, restarts of the CiscoSecure ACS might proceed slowly as the max sessions records of the sessions active at the time of shutdown are read out of the CiscoSecure profile database.

Distributed—Enables the full-featured DSM maximum session control. This selection enables the administrator to use the CiscoSecure Administrator DSM web pages to limit, track, and reset concurrent sessions on a per user, per group, per VPDN, or PoP specific basis.


Note The Distributed selection is valid only if you have licensed the DSM module on this ACS. AAA accounting packets must be enabled on the client NASes for this selection to take effect.


Step 2 Stop and restart the CiscoSecure ACS in order for your new max sessions control selection to take effect.

a. Log in as [Root] to the SPARCStation where you installed CiscoSecure ACS. To stop the ACS enter:

# /etc/rc0.d/K80CiscoSecure

b. To restart the CiscoSecure ACS, enter:

# /etc/rc2.d/S80CiscoSecure



Caution If accounting information is still being written when the /etc/rc0.d/K80CiscoSecure script is invoked to stop the ACS, the DBServer module of the ACS will not shut down until it finishes writing all accounting information to the RDBMS. This process might take as long as 10 minutes. Do not attempt to shut down the DBServer by other means during this process. Loss of accounting data might result.

Group Max Sessions

A group can have two kinds of members:

User profile

Group Profile (sub-group)

Consider the following cases:

1. A user member profile of a group has "max sessions" set.

2. A user member profile does not have "max sessions" set.

3. A group member's profile (subgroup) has "member-specific max sessions" set.

4. A group member's profile (subgroup) does not have "member specific max sessions" set.

In cases 2 and 4, the value will be set to that of the "member specific max sessions" parameter of the parent's group. If the parent's group does not have "member specific max sessions" configured, then the value is set to that of the parent. The "member-specific max sessions" setting for group is used only when the member is not configured with a "max sessions" parameter (that is, when the member of the group is a user profile) or the "member-specific max sessions" parameter (when the member is a group profile) is not set for the subgroup.

Overview of DSM Operations


Note This section describes features available if the customer installs CiscoSecure with the optional DSM module licensed and enabled. For a description of max sessions support available without the DSM module installed, see the "Limited-Feature Max Sessions Support" section.


With the CiscoSecure DSM module installed and enabled, the CiscoSecure system Administrator can use the DSM menu option in the CiscoSecure ACS 2.3 Administrator web pages to carry out the following operations:

Make sure you have carried out all the steps necessary to install, enable, and support the CiscoSecure DSM module. See the "Summary of DSM Implementation Requirements" section.

In order to set max sessions limitations, the system administrator must first configure a DSM Authority. In CiscoSecure ACS 2.3 for UNIX, the DSM Authority is synonymous with the DSM. See the "Establishing a DSM Authority" section for details.

To display and browse the user, group, or VPDN objects whose DSM settings you want to configure or whose DSM statistics you want to view, use the DSM>Counters option in the CiscoSecure ACS 2.3 Administrator web pages. See the "Browsing the DSM User, Group, or VPDN Counters" section, or the "Browsing the DSM User, Group, or VPDN Counters by Group" section.

After configuring a DSM authority, the system administrator can assign this authority to enforce max sessions limitations and maintain statistics on existing CiscoSecure users, groups, or VPDNs. The administrator can assign unique max sessions limitations and related settings to each user, group, or VPDN. See the "Configuring DSM Settings" section for details.

The administrator can also assign one or more network NASes to max sessions PoP groups and assign max sessions limitations to users, groups, and VPDN groups that use those PoP groups. See the "Restricting Sessions by PoP Group" section for details.

The administrator must be aware of how Group-Specific group max sessions settings and Group-Specific High Profile Threshold settings applied to a parent group might impose effective limits on its subgroups. See the "Applying Effective Parent Group Max Sessions Settings to Subgroups" section for details.

The administrator can configure Member-Specific group max sessions settings to override the individual max sessions settings of any individual user in the group. See the "Applying Group DSM Overrides" section for details.

The administrator can display, and, if necessary, reset max sessions related statistics for each user, group, VPDN, PoP, and DSM Authority. See the "Displaying and Resetting DSM Statistics" section for details.

To quickly access DSM settings or statistics for a specific user, group, VPDN, or PoP in a large profile database, the administrator can use the DSM>View menu option. See the "Quickly Finding and Viewing DSM Information for a Specific User, Group, VPDN, or PoP" section for details.


Caution DSM-based sessions management cannot be implemented for members of VPDNs set up to use the Cisco IOS Release 11.3 dial-in number information service (DNIS) feature.

Summary of DSM Implementation Requirements

Before you attempt to configure DSM max sessions control, make sure that you have implemented the following CiscoSecure installation and post-installation requirements:

You need to have preinstalled Oracle Enterprise version 7.3.2, 7.3.3, 7.3.4 or 8.0.x or Sybase Enterprise version 11.0.2 or higher as the RDBMS for the CiscoSecure ACS profiles.

If you carried out a new CiscoSecure ACS installation, you need to have installed the CiscoSecure package labeled, CiscoSecure ACS 2.3 for UNIX Distributed Session Manager.

or

If you upgraded from a previous installation of CiscoSecure ACS, you need to have first upgraded to CiscoSecure ACS 2.3 for UNIX and then installed the package labeled CiscoSecure ACS Distributed Session Manager Option.

You need to have enabled the DSM module by locating the Max Sessions Enabled field on the CiscoSecure Administrator AAA>General web page, selecting the Distributed option, and restarting the CiscoSecure ACS as described in the "Enabling Max Sessions Control" section.

If your network is serviced by more than one CiscoSecure ACS installation, database replication must be configured and enabled between the CiscoSecure profile RDBMS sites.

Accounting packets must be enabled on the NAS clients. For details, see "CiscoSecure ACS Accounting."

If you have the CiscoSecure Distributed Session Manager (DSM) module licensed and enabled, avoid moving or deleting users from groups while those users are running active sessions. When a user who is still running active sessions is deleted or moved from a group, the number of active sessions belonging to that user is not decremented from that group's or any parent group's total active session count (as displayed in their Current Value field) until another user logs in to the same network access server (NAS) through the same port. When the new user logs in, the number of active sessions will be decremented for the user who was moved or deleted. Until the group's active session count is adjusted in this way, it will be higher than it actually is. Consequently, that group could be limited to fewer concurrent sessions than its Group Max Sessions setting actually allots it.

Establishing a DSM Authority

In the CiscoSecure ACS 2.3 for UNIX release, a DSM authority is synonymous with the DSM that you want to handle the session managers for a CiscoSecure group, user, or VPDN.

Creating or Editing a DSM Authority

Before you configure DSM settings for groups, users, or VPDNs, you will need to create a DSM authority. Then, when you set up DSM settings for your CiscoSecure groups, users, or VPDNs, you assign this or some other DSM authority to carry out those settings.


Step 1 Using the CiscoSecure ACS 2.3 Administrator web page, select DSM>Authorities.

Step 2 If you want to Edit an existing DSM Authority, click the pencil icon for that DSM Authority.

Step 3 If you want to create a new DSM Authority, click Add Distributed Session Manager Authority, and in the DSM Authority Name field, enter a name of your choosing and click Add.

Step 4 On the Distributed Session Manager Edit Authority page, select or enter the appropriate settings:

Server Enabled—Click to enable this DSM Authority as active and available for carrying out distributed sessions counting services.

IP Address—Enter the IP address for the SPARCstation where the DSM is installed.

TCP Port (DSM)—Assign an unused TCP/IP port number to be used by the DSM to communicate with other DSMs. The default port number is 9850. The range of valid port numbers is 1-65535.

TCP Port (GUI)—Assign an unused TCP/IP port number to be used by the DSM to communicate with the CiscoSecure ACS 2.3 Administrative web pages. The default port number is 9851. The range of valid port numbers is 1-65535.

Step 5 When you are finished with your settings, click Update to confirm the DSM server setting.


Deleting a DSM Authority

To delete an existing DSM Authority:


Step 1 Using the CiscoSecure ACS 2.3 Administrator web page, select DSM>Authorities to display the Distributed Session Manager Authorities page.

Step 2 Click the minus sign for the DSM Authority that you want to delete.



Note This section describes features available if the customer installs CiscoSecure with the optional DSM module licensed and enabled. For a description of max sessions support available without the DSM module installed, see the "Limited-Feature Max Sessions Support" section.


Configuring DSM Settings

When a DSM authority is established, you can configure max sessions settings to apply to every CiscoSecure user, group, or VPDN in the CiscoSecure profile database.

Browsing the DSM User, Group, or VPDN Counters


Note This section describes features available if the customer installs CiscoSecure with the optional DSM module licensed and enabled. For a description of max sessions support available without the DSM module installed, see the "Limited-Feature Max Sessions Support" section.


The DSM>Counters option allows you to browse for and select the user, group, and VPDN objects on the network whose DSM statistics you want to view or whose DSM settings you want to configure.


Step 1 Click the DSM>Counters menu option to display the Distributed Session Manager - View Counters page.

Step 2 Click the appropriate button:

To display and browse the DSM user counters, click the Users button.

To display and browse the DSM VPDN counters, click the VPDNs button.

To display and browse the DSM group counters, click the Groups button.

To display and browse all DSM counters (user, group, or VPDN) on a single page, click the All button.


Note If you click the All button, VPDN objects will be displayed only as user or group objects (however they were originally configured). They will not be listed separately or designated in any other way as VPDN objects.



Caution If a large number of user and group profiles exist, displaying them all on a single page might take a long time and the resulting HTML page might force an out-of-memory error in the browser. If the items you want to browse are group or user profiles, it might be better to use the DSM>View option to search for a specific group or user instead.

Step 3 Locate the user, group, or VPDN object whose DSM statistics or DSM settings you want to view or modify:

To view the DSM settings of a particular user, group, of VPDN object, click on the object name.

To view the DSM statistics of a particular user, group, or VPDN object, click on the object name and then click the Counter Statistics button.

To edit the DSM settings of a particular user, group, or VPDN object, click on the pencil icon next to that object.


Browsing the DSM User, Group, or VPDN Counters by Group


Note This section describes features available if the customer installs CiscoSecure with the optional DSM module licensed and enabled. For a description of max sessions support available without the DSM module installed, see the "Limited-Feature Max Sessions Support" section.


To avoid having to display and browsing all the users, or all the groups, or all the VPDNs on a network, you can use the DSM>Counters option to first select a group and then browse just the users, subgroups, or VPDNs belonging to that group.


Step 1 Click the DSM>Counters menu option to display the Distributed Session Manager - View Counters page.

Step 2 Click the Groups button.

Step 3 Locate and click the name of the group whose users, VPDNs, or subgroups you want to browse.

This displays the Distributed Session Manager - View Group Settings page for that group.

Step 4 Locate the View Members box on this page and click the appropriate button:

To display and browse the current group's DSM user counters, click the Users button.

To display and browse the current group's DSM VPDN counters, click the VPDNs button.

To display and browse the current group's DSM subgroup counters, click the Groups button.

To display and browse all DSM counters (user, group, or VPDN) for the current group on a single page, click the All button.


Note If you click the All button, VPDN objects will be displayed only as user or group objects (however they were originally configured). They will not be listed separately or designated in any other way as VPDN objects.



Caution If a large number of user and subgroup profiles exist for the current group, displaying them all on a single page might take a long time and the resulting HTML page might force an out-of-memory error in the browser. If the items you want to browse are group or user profiles, it might be better to use the DSM>View option to search for a specific group or user instead.

Step 5 Locate the user, group, or VPDN object whose DSM statistics or DSM settings you want to view or modify.

To view the DSM settings of a particular user, group, or VPDN object, click on the object name.

To view the DSM statistics of a particular user, group, or VPDN object, click on the object name and then click the Counter Statistics button.

To edit the DSM settings of a particular user, group, or VPDN object, click on the pencil icon next to that object.


Configuring DSM User Settings


Note This section describes features available if the customer installs CiscoSecure with the optional DSM module licensed and enabled. For a description of max sessions support available without the DSM module installed, see the "Limited-Feature Max Sessions Support" section.


The DSM Member Settings page enables you to restrict concurrent sessions for an individual user. To edit individual CiscoSecure user DSM settings:


Step 1 Click the DSM>Counters menu option to display the Distributed Session Manager - View Counters page.

Step 2 Click the Users button.

Step 3 Locate the user whose max sessions settings you want to edit. If necessary, click the Show More or Show All button.

Step 4 After locating the user, click the pencil icon to display the Distributed Session Manager Member Settings page.

Step 5 Edit the settings.

Table 7-1 User Settings

User Setting
Description

Max Sessions

The maximum number of concurrent sessions to allot to the current CiscoSecure user. You can use this setting to limit the number of concurrent sessions opened by the current user.

DSM Authority Name

The name of the DSM that has authority over the current user. In most cases, the DSM Authority Name for a CiscoSecure user is the DSM at the ACS.

Note If the DSM Authority assigned to this field is subsequently deleted from the Distributed Session Manager Authorities page, it will still be listed in this field but marked as "invalid" until a valid DSM Authority is assigned to this field.

High Performance Threshold (%)

The point at which full completion of a max sessions check is required before the current user can open additional sessions.

High performance login throughput is enabled by a shortcut routine that allows the current user to open a session even before that user's max sessions check is fully completed at the DSM; however, if the percentage of sessions already opened in relation to the sessions allowed goes above the percentage specified in this field, the shortcut routine is suspended and full max sessions checking is required before the user can open a new session.

For example, if the max sessions setting for the current user is 4 and the high performance threshold is set to 75% then the high performance shortcut routine is suspended for this user after this user opens three concurrent sessions.1

Unbound PoP Policy

Unbound PoP Policy—Whether to permit or deny dial-in user access if the user is logging in through an unbound PoP group. For details on PoP binding see the "Restricting Sessions by PoP Group" section.

1 A high High Performance Threshold setting (for example 99%) improves authentication performance. A low setting (for example 5%) decreases the chance of a user exceeding the max sessions limit, but slows down authentication performance.



Note If DSM settings assigned to an individual user conflict with "Member-Specific" DSM settings assigned to that user's group, the individual user DSM settings will apply to that user; however, you can use the Java-based CiscoSecure Administrator advanced configuration program to assign Member-specific group DSM settings "Absolute" status, which overrides the DSM settings assigned to any individual user in that group. See, the "Applying Group DSM Overrides" section.


Configuring DSM Group Settings


Note This section describes features available if the customer installs CiscoSecure with the optional DSM module licensed and enabled. For a description of max sessions support available without the DSM module installed, see the "Limited-Feature Max Sessions Support" section.


The DSM Edit Group Settings page enables you to limit the total combined concurrent sessions to allow a group and to limit the concurrent sessions to allow to each member of that group. To edit the Group DSM settings:


Step 1 Click the DSM>Counters menu option to display the Distributed Session Manager - View Counters page.

Step 2 Click the Groups button.

Step 3 Locate the group whose DSM settings you want to edit. If necessary, click the Show More or Show All button.

Step 4 After locating the group, click the pencil icon to display the Distributed Session Manager Edit Group Settings window.

Step 5 Edit the Group-Specific settings.

Group-Specific settings restrict the total combined sessions allowed to the members and subgroups of a CiscoSecure group as a whole. They include:

Table 7-2 Group-Specific Settings

Group-Specific Setting
Description

Group Max Sessions

This is the maximum number of total combined sessions to allot to this group of users and users in any of its subgroups. If the total number of concurrent sessions opened by users in this group and of any of its subgroups reaches the number specified in this field, CiscoSecure denies additional login sessions to members of this group or any of its subgroups.

Note The group max sessions setting for a parent group sets an absolute maximum limit on the sessions opened by any of its subgroups. Even if the combined group max sessions settings for its subgroups exceed the max sessions setting of the parent group, the total combined concurrent sessions allowed for the parent group and its subgroups cannot exceed the group max sessions setting specified for the parent. See the "Applying Effective Parent Group Max Sessions Settings to Subgroups" section for details.

DSM Authority Name

This is the name of the DSM that has authority over this group.

Note If the DSM Authority assigned to this field is subsequently deleted from the Distributed Session Manager Authorities page, it will still be listed in this field but marked as "invalid" until a valid DSM Authority is assigned to this field.

High Performance Threshold (%)

The point at which full completion of a max sessions check is required before members of this group can open additional sessions.

Group high performance login throughput is enabled by a shortcut routine that allows the members of the current group to open a session even before that group's max sessions check is fully completed; however, if the percentage of sessions already opened in relation to the sessions allowed goes above the percentage specified in this field, the shortcut routine is suspended and full group max sessions checking is required before any member of this group can open new sessions.

For example, if the group max sessions setting for the current group is 400 and the high performance threshold is set to 75% then the high performance shortcut routine is suspended for this group after its users and users in any of its subgroups open a combined total of 300 concurrent sessions.1

Note When the High Performance Threshold is set for a parent group is reached by the total combined logins of the parent group and its subgroups, the high performance authentication shortcut routine is suspended for members of the parent group.

Unbound PoP Policy

Whether to permit or deny dial-in user access if the group member is logging in through an unbound PoP group. For details on PoP binding see the "" section.

1 A high High Performance Threshold setting (for example 99%) improves authentication performance. A low setting (for example 5%) decreases the chance of a group exceeding the max sessions limit, but slows down authentication performance.


Step 6 Edit the Member-Specific group settings. Member-Specific settings are global DSM settings that restrict the concurrent sessions allowed each member of a group.


Table 7-3 Member-Specific Settings

Member-Specific Setting
Description

Max Sessions

The maximum number of concurrent sessions to allot to any one user within the current CiscoSecure group. You can use this setting to ensure against any one user using a disproportionate number of sessions that have been allotted to the entire group.

DSM Authority Name

The name of the DSM that has authority over this user. In most cases, the DSM Authority Name for Group and its Members is the same.

Note If the DSM Authority assigned to this field is subsequently deleted from the Distributed Session Manager Authorities page, it will still be listed in this field but marked as "invalid" until a valid DSM Authority is assigned to this field.

High Performance Threshold (%)

The point at which full completion of a max sessions check is required before each individual member of the current group can open additional sessions.

High performance login throughput is enabled by a shortcut routine that allows the a user of the current group to open a session even before that user's max sessions check is fully completed; however, if the percentage of sessions already opened for a user in relation to the sessions allowed goes above the percentage specified in this field, the shortcut routine is suspended and full max sessions checking is required before that user can open a new session.

For example, if the member max sessions setting for the current group is 4 and the high performance threshold is set to 75% then the high performance shortcut routine is suspended for a user in this group after that user opens 3 concurrent sessions.1

Unbound PoP Policy

Whether to permit or deny dial-in user access if the group member is logging in through an unbound PoP group. For details on PoP binding see the "Restricting Sessions by PoP Group" section.

1 A high High Performance Threshold setting (for example 99%) improves authentication performance. A low setting (for example 5%) decreases the chance of a group member exceeding the member-specific max sessions limit, but slows down authentication performance.



Note If DSM settings assigned to an individual user conflict with "Member-Specific" DSM settings assigned to that user's group, the individual user DSM settings will apply to that user; however, you can use the Java-based CiscoSecure Administrator advanced configuration program to assign Member-specific group DSM settings "Absolute" status, which overrides the DSM settings assigned to any individual user in that group. See the "Applying Group DSM Overrides" section.


Configuring DSM VPDN Settings


Note This section describes features available if the customer installs CiscoSecure with the optional DSM module licensed and enabled. For a description of max sessions support available without the DSM module installed, see the "Limited-Feature Max Sessions Support" section.


A CiscoSecure virtual private dial-up network (VPDN) object is a CiscoSecure user profile specially configured as a VPDN name that members of that VPDN can attach to their personal login names when dialing in through a remote ISP-run NAS and have their login requests tunneled for authentication to their VPDN's home gateway NAS and ACS.


Note For details on setting up VPDN connections see the "TACACS+—VPDN Example" section and the "RADIUS—VPDN Example" section in "Limiting and Tracking Sessions Per User, Group, or VPDN."


To edit VPDN DSM settings:


Step 1 Click the DSM>Counters menu option to display the Distributed Session Manager - View Counters page.

Step 2 Click the VPDNs button.

Step 3 Locate the VPDN object whose max sessions settings you want to edit. If necessary, click the Show More or Show All button.

Step 4 After locating the VPDN object, click the pencil icon to display the Distributed Session Manager Edit VPDN Settings window.

Edit the settings.


Restricting Sessions by PoP Group

Table 7-4 VPDN Settings

VPDN Setting
Description

Max Sessions

This is the maximum number of sessions to allot to this VPDN. If the number of concurrent sessions specified in this field is reached, CiscoSecure denies login sessions to other members of this VPDN.

DSM Authority Name

This is the name of the DSM that has authority over this VPDN.

Note If the DSM Authority assigned to this field is subsequently deleted from the Distributed Session Manager Authorities page, it will still be listed in this field but marked as "invalid" until a valid DSM Authority is assigned to this field.

High Performance Threshold (%)

The point at which full completion of a max sessions check is required before members of this VPDN can open additional sessions.

VPDN high performance login throughput is enabled by a shortcut routine that allows the members of the current VPDN to open a session even before that VPDN's max sessions check is fully completed; however, if the percentage of sessions already opened in relation to the sessions allowed goes above the percentage specified in this field, the shortcut routine is suspended and full VPDN max sessions checking is required before any member of this VPDN can open new sessions.

For example, if the max sessions setting for the current VPDN is 400 and the high performance threshold is set to 75% then the high performance shortcut routine is suspended for this VPDN after its users open 300 concurrent sessions.1

Unbound PoP Policy

Whether to permit or deny dial-in user access if the VPDN member is logging in through an unbound PoP group. For details on PoP binding see the "Restricting Sessions by PoP Group" section.

1 A high High Performance Threshold setting (for example 99%) improves authentication performance. A low setting (for example 5%) decreases the chance of VDPN members exceeding the max sessions limit, but slows down authentication performance.



Note This section describes features available if the customer installs CiscoSecure with the optional DSM module licensed and enabled. For a description of max sessions support available without the DSM module installed, see the "Limited-Feature Max Sessions Support" section.


The CiscoSecure DSM module allows you to organize your NASes into logical PoP groups and then restrict the number of sessions that can be opened for a specified CiscoSecure user, group, or VPDN through that PoP.

For example, you can group NASes, NAS_A, NAS_B, and NAS_C into one logical PoP, PoP_1, then you can assign, or "bind" Group_a to this PoP, restricting the total combined number of concurrent sessions that can be opened by members of this group through this PoP, and also restricting, if you so choose, the members of Group_a to dialing in only through the NASes assigned to PoP_1. You can apply these PoP-related restrictions to individual users, and members of a VPDN also.

Creating or Editing a PoP Group


Note This section describes features available if the customer installs CiscoSecure with the optional DSM module licensed and enabled. For a description of max sessions support available without the DSM module installed, see the "Limited-Feature Max Sessions Support" section.


The DSM module of CiscoSecure ACS 2.3 for UNIX allows you to include one or more dial-in NASes in a PoP group.


Step 1 Click the DSM>PoPs menu option to display the PoPs page, then display the Distributed Session Manager Edit PoP Definition page as follows:

If you want to edit an existing PoP group, locate the listing for that PoP, and click the pencil icon to the right of it.

If you want to create a new PoP group, click the Add PoP button, enter a name of your choosing in the PoP Name field, and click Add.

Step 2 Use the Distributed Session Manager Edit PoP Definition page as follows:

To add TACACS+ or RADIUS NASes to the PoP group, select the IP address or name of a NAS that you want to include in this group from the "Available NASes" list and click the <- button. The selected NASes will appear in the "NASes in PoP" list.

To select multiple NASes, hold down the Ctrl key while making your selections; then click the <- button.


Note TACACS+ NASes that are removed from the ACS configuration through the AAA>NAS option in CiscoSecure ACS 2.3 Administrator web pages, or RADIUS NASes that are removed from the ACS configuration through the NASes tab in the Java-based CiscoSecure Administrator advanced configuration program will remain listed in the "NASes in PoP" list but in brackets until removed through the -> button.


To remove a NAS from the PoP group, select the IP address or name of the NAS you want to remove from the "NASes in PoP" list and click the -> button. The selected NAS will appear in the "Available NASes" list.

If you want to add to the PoP a TACACS+ NAS that has not been added to this ACS configuration through the AAA>NAS option in the CiscoSecure ACS 2.3 Administrator web pages and is thus unlisted in the "Available NASes" or any "NASes in PoP" list, use the Free-Form NASes field.



Caution When using the Free-Form NASes field, you must observe several important precautions. See the "Adding Unlisted TACACS+ NASes to a PoP Definition" section for instructions and precautions to observe when using the Free-Form NASes field.

Adding Unlisted TACACS+ NASes to a PoP Definition


Note This section describes features available if the customer installs CiscoSecure with the optional DSM module licensed and enabled. For a description of max sessions support available without the DSM module installed, see the "Limited-Feature Max Sessions Support" section.


If a TACACS+ NAS has not been added as a client to this ACS configuration through the AAA>NAS option in the CiscoSecure ACS 2.3 Administrator web pages, it will not be listed in any PoP's "Available NASes" or "NASes in PoP" lists.

However, you can still use the "Free-Form NASes" field to add an unlisted TACACS+ NAS to a PoP definition:


Step 1 Click the DSM>PoPs menu option to display the PoPs page, then display the Distributed Session Manager Edit PoP Definition page as follows:

If you want to edit an existing PoP group, locate the listing for that PoP, and click the pencil icon to the right of it.

If you want to create a new PoP group, click the Add PoP button, enter a name of your choosing in the PoP Name field, and click Add.

Step 2 In the Distributed Session Manager PoP Definition page, enter the FQDN or the IP address of the NAS that you want to add in the Free-Form NASes field, but observe the following important precautions:

In order to avoid corrupting DSM-related record keeping, make absolutely sure that your entry in the Free-Form NASes field does not specify the IP address or FQDN of a NAS already assigned to another PoP.

When you enter TACACS+ NAS FQDNs and IP addresses in the Free-Form NASes field, UNIX regular expression rules apply.

Because UNIX regular expression rules apply in the Free-Form NASes field for TACACS+ NASes, be careful not to enter any string that specifies NAS addresses that you do not intend to include in the current PoP group.

For example, because in regular expression syntax, periods are interpreted as wild card characters, the entry "10.6.8.21" will specify not only the NAS at IP address 10.6.8.21, but possibly also NASes at other addresses.

If you prefer to disable UNIX regular expression syntax in the Free-Form NASes field, enclose your entry with the ^ and $ characters. For example:

^10.6.8.21$

This will cause the CiscoSecure ACS to interpret the entry literally.

Step 3 Click the Add Unlisted NAS button.

The specified NAS will appear in brackets in the "NASes in PoP" list.


Deallocating a NAS from another PoP


Note This section describes features available if the customer installs CiscoSecure with the optional DSM module licensed and enabled. For a description of max sessions support available without the DSM module installed, see the "Limited-Feature Max Sessions Support" section.


If the IP address or name of an existing NAS is not listed, it might already be assigned to another PoP group. A NAS can only be allocated to one PoP group at a time. To deallocate a NAS from another PoP grouping and make it available to the current PoP grouping, carry out the following steps:


Step 1 In the Distributed Session Manager PoP Definition page, click Deallocate NAS to display a list labeled "NASes in other PoPs."

Step 2 Locate and select the NAS name or IP address.


Note NASes that were added to the PoP through the Free-Form NASes field will not show up in the "NASes in other PoPs" list.


Step 3 Click Make Available. The IP address or name of the selected NAS now appear available for selection in the Available NASes list.


Deleting a PoP


Note This section describes features available if the customer installs CiscoSecure with the optional DSM module licensed and enabled. For a description of max sessions support available without the DSM module installed, see the "Limited-Feature Max Sessions Support" section.


To delete an existing PoP grouping of NASes, do the following:


Step 1 Using the CiscoSecure ACS 2.3 Administrator web page, select DSM>PoPs.

Step 2 Click the minus sign for the PoP that you want to delete.



Note If the deleted PoP has been bound to users, groups, or VPDNs, the deleted PoP listing will remain on the user's, group's, or VPDN's View Group-PoP Settings or View Member-PoP Settings page, but the deleted PoP listing will be marked with a grayed background and minus the Counter Statistics and Counter Maintenance buttons.


Restricting User, Group, or VPDN Sessions by PoP Group


Note This section describes features available if the customer installs CiscoSecure with the optional DSM module licensed and enabled. For a description of max sessions support available without the DSM module installed, see the "Limited-Feature Max Sessions Support" section.


You can restrict the number of logins which your individual users, group members, or VPDN members can carry out through specific NAS groups, or PoPs, defined by CiscoSecure.


Step 1 Click the DSM>Counters menu option, click Users, Groups, or VPDNs, then click the user, group, or VPDN whose log in you want to restrict by PoP group.

Step 2 Click the appropriate PoP Bindings button: either the Group-PoP Bindings button or the Member-PoP Bindings button.

Step 3 From the PoP List field, select the PoP group that you want bound to the current user, group, or VPDN and click Add PoP Counter.

Step 4 Set the PoP settings for the current user, group, group member, or VPDN. The settings include:

Table 7-5 PoP Settings

PoP Setting
Description

Max Sessions

The maximum number of concurrent sessions to allow the current user, group, group membership, or VPDN group to run through the specified PoP group.

DSM Authority Name

DSM Authority Name—The name of the DSM that has authority over this user, group, group membership or VPDN PoP binding. In most cases, the DSM Authority Name for a Group and its Members is the same.

Note If the DSM Authority assigned to this field is subsequently deleted from the Distributed Session Manager Authorities page, it will still be listed in this field but marked as "invalid" until a valid Distributed Session Manager Authority is assigned to this field.

High Performance Threshold (%)

High Performance Threshold (%)—The percentage of the maximum allowable sessions (allotted to a user, group, group membership, or VPDN group) at which the High Performance shortcut is abandoned and completion of a full max sessions check is required before the current user, group, group membership, or VPDN group can open additional sessions through the specified PoP group.

For details on how this setting applies to the current counter object, check the description of the High Performance Threshold (%) setting for that particular object.


Step 5 Click the pencil icon for the current user, group, or VPDN and make sure that its Unbound PoP Policy field is set to Deny.

If the current user, group, or VPDN has its Unbound PoP Policy set to Deny, then user, group member, or VPDN member login will be restricted to the PoP groups that you just selected.


Note If no PoPs are bound to the current user, or members of the current group or VPDN, then all login attempts will be refused if the Unbound PoP policy is set to Deny.


If the Unbound PoP Policy field is set to Permit, then the current user, or members of the current group or VPDN can log in even through PoP groups to which they have not been specifically bound.


Note If they do log in through their bound PoPs, the user, group, or VPDN DSM settings for that bound PoP will be applied.



Applying Effective Parent Group Max Sessions Settings to Subgroups


Note This section describes features available if the customer installs CiscoSecure with the optional DSM module licensed and enabled. For a description of max sessions support available without the DSM module installed, see the "Limited-Feature Max Sessions Support" section.


Whatever the specified values for a subgroup's group max sessions settings might be, the effective number of concurrent allowable sessions in the subgroup is constrained by the group max sessions value of the parent groups above it.

A parent group's group max sessions value sets an effective limit on the combined total number of concurrent sessions that can be opened for the parent group and its subgroups.

Once the combined total of concurrent sessions opened for the parent group and its subgroups reaches the parent group's group max sessions value, no additional sessions are allowed for the parent group or any of its subgroups, even if individual subgroups have not yet reached their individual group max sessions settings limits.


Note It is also the total combined concurrent sessions of a parent group and its subgroups that also determines when the Group-Specific High Performance Threshold setting is applied to that parent group. For example, if a parent group has a group max sessions setting of 1000 and a Group-Specific High Performance Threshold setting of 75%, then a combination of 400 open sessions in the parent group and 350 open sessions in one of its subgroups would be enough to cause CiscoSecure ACS to suspend the High Performance login throughput routine for the parent group and apply full max sessions checking to every login request from members of the parent group before authentication. Logins from subgroup members, however, would be subject only to the Group-Specific High Performance setting specified for their particular subgroup.


Example of Parent Max Sessions Settings and Effective Subgroup Limits

The following example illustrates how a parent group's group max sessions setting applies effective controls to the sessions allowed its subgroups:

If we configure the following parent group and subgroups:

ParentGroupA with a group max sessions value of 1000

SubGroup1 with a group max sessions value of 800

SubGroup2 with a group max sessions value of 800 and a High Performance Threshold of 99%

And if users open 700 concurrent sessions in ParentGroupA, 50 concurrent sessions in SubGroup1, and 250 concurrent sessions in SubGroup2

Then no additional sessions will be allowed for the parent group or its subgroups because the 1000 group max sessions value specified for ParentGroupA and applied to the total combined concurrent sessions of ParentGroupA and its subgroups has been reached.

Applying Group DSM Overrides


Note This section describes features available if the customer installs CiscoSecure with the optional DSM module licensed and enabled. For a description of max sessions support available without the DSM module installed, see the "Limited-Feature Max Sessions Support" section.


Normally DSM max sessions settings assigned to groups, subgroups, or individual group members follow the normal CiscoSecure rules and attribute inheritance:

DSM Member-Specific settings assigned to a parent group apply as defaults to its members and the members of its subgroups unless individual settings are specifically assigned to those members.

DSM settings specifically assigned to a subgroup override any group max sessions settings assigned to its parent group.

DSM settings specifically assigned to an individual user override any Member-Specific group settings assigned to that user's group.

However, you can use the Java-based CiscoSecure Administrator advanced configuration program to assign a group's "Member-Specific" DSM settings "Absolute" status. Absolute status enables the group's "Member-Specific" DSM settings to override most DSM settings assigned to an individual user in that group or any of its subgroups.


Step 1 After you have assigned a group or VPDN "Member-Specific" max sessions settings through the DSM option of the CiscoSecure ACS 2.3 Administrator web pages, click the Advanced tab and start the Java-based CiscoSecure Administrator advanced configuration program.

Step 2 On the Members tab, deselect the Browse button, select the group whose max sessions settings you want to assign an Absolute status, and click the profile icon.

Step 3 In the Profile pane, select the max sessions attribute to which you want to assign Absolute status and then in the Options menu, select that attribute's Absolute status check box.

The possible "Group-Specific" group max sessions attributes to which you can assign valid Absolute status include:

Table 7-6 Group-Specific Group Attributes

Group-Specific Group Attribute
Assigning this Attribute Absolute Status

Server group-max-authority=

Overrides the conflicting DSM Authority Name setting of any subgroup to the current group.

Server group-max-hp-threshold=

Overrides the conflicting High Performance Threshold setting of any subgroup to the current group.

Server group-max-unbound-pop-policy=

Overrides the conflicting Unbound PoP policy setting of any subgroup to the current group.


The possible "Member-Specific" group max sessions attributes to which you can assign Absolute status include:

Table 7-7 Member-Specific Group Attribute

Member-Specific Group Attribute
Assigning this Attribute Absolute Status

Server max-sessions=

Overrides the conflicting max sessions setting of any individual member in that group.

Server max-authority=

Overrides the conflicting DSM Authority Name setting of any individual member in that group.

Server max-hp-threshold=

Overrides the conflicting High Performance Threshold setting of any individual member in that group.

Server max-unbound-pop-policy=

Overrides the conflicting Unbound PoP policy setting of any individual member in that group.


Displaying and Resetting DSM Statistics

You can display and reset statistics that have been compiled for your user, group, VPDN, PoP, and Authority DSMs.

Displaying DSM Statistics for Users, Groups, and VPDNs


Note This section describes features available if the customer installs CiscoSecure with the optional DSM module licensed and enabled. For a description of max sessions support available without the DSM module installed, see the "Limited-Feature Max Sessions Support" section.


DSM statistics inform you of concurrent sessions usage of users, groups or VPDNs.

To display DSM statistics for users, groups, or VPDNs:


Step 1 Click the DSM>Counters menu option, click Users, Groups, or VPDNs, then click the user, group, or VPDN whose DSM statistics you want to display.

Step 2 Click the Counter Statistics button. The counter statistics include:

Current Value—This is the current number of concurrent sessions being run under the name of the selected user, group, or VPDN.

Rejections—The total number of login rejections (due to max sessions limits) that have been recorded for the selected user, group, or VPDN since the last time the DSM statistics were reset, or the last time the DSM was restarted.

Oversubscriptions—The total number of sessions in excess of the max sessions limit that have been recorded for the selected user, group, or VPDN since the last time the DSM statistics were reset, or the last time the DSM was restarted.

Oversubscription, a situation where the total number of concurrent sessions exceeds the max sessions limit, can occur if High Performance Threshold is set high and a sudden increase in logins occurs during a brief time period before reaching the threshold triggers the requirement for full max sessions checking prior to authentication.

Largest Oversubscription—The largest number by which the max sessions limit was exceeded at the selected user, group, or VPDN since the last time the DSM statistics were reset, or the last time the DSM was restarted.

Largest Subscription—The largest number of concurrent sessions that have been opened at any one time for the selected user, group, or VPDN since the last time the DSM statistics were reset, or the last time the DSM was restarted.


Displaying PoP-Related DSM Statistics


Note This section describes features available if the customer installs CiscoSecure with the optional DSM module licensed and enabled. For a description of max sessions support available without the DSM module installed, see the "Limited-Feature Max Sessions Support" section.


If your users, groups, or VPDNs are bound to one or more PoPs, PoP-related DSM statistics inform you of concurrent sessions usage by those users, groups or VPDNs through their assigned PoPs.

To display PoP-related DSM statistics for users, groups, or VPDNs that are bound to a PoP:


Step 1 Click the DSM>Counters menu option, click Users, Groups, or VPDNs, then click the user, group, or VPDN whose PoP-related DSM statistics you want to display.

Step 2 Click the Group-PoP Bindings, or the Member-PoP Bindings button to display the Distributed Session Manager Group-PoP Settings or Distributed Session Manager Member-PoP Settings page.

Step 3 Click the Counter Statistics button for the PoP whose statistics you want to view. The counter statistics include:

Current Value—This is the current number of concurrent sessions being run under the name of the selected user, group, or VPDN through the current PoP.

Rejections—The total number of login rejections (due to max sessions limits) that have been recorded for the selected user, group, or VPDN through the assigned PoP since the last time the DSM statistics were reset, or the last time the DSM was restarted.

Oversubscriptions—The total number of sessions in excess of the max sessions limit that have been recorded for the selected user, group, or VPDN through the assigned PoP since the last time the DSM statistics were reset, or the last time the DSM was restarted.

Oversubscription, a situation where the total number of concurrent sessions exceeds the max sessions limit, can occur if High Performance Threshold is set high and a sudden increase in logins occurs during a brief time period before reaching the threshold triggers the requirement for full max sessions checking prior to authentication.

Largest Oversubscription—The largest number by which the max sessions limit was exceeded by the selected user, group, or VPDN through the assigned PoP since the last time the DSM statistics were reset, or the last time the DSM was restarted.

Largest Subscription—The largest number of concurrent sessions that have been opened at any one time for the selected user, group, or VPDN through the assigned PoP since the last time the DSM statistics were reset, or the last time the DSM was restarted.


Resetting DSM Statistics for a User, Group, or VPDN


Note This section describes features available if the customer installs CiscoSecure with the optional DSM module licensed and enabled. For a description of max sessions support available without the DSM module installed, see the "Limited-Feature Max Sessions Support" section.


You can reset DSM statistics to 0 if you want to measure DSM statistics for a user, group, or VPDN over a specific period of time.


Step 1 Click the DSM>Counters menu option, click Users, Groups, or VPDNs, then click the user, group, or VPDN whose DSM statistics you want to reset.

This displays the DSM Group Settings or DSM Member Settings page.

Step 2 Click Counter Statistics to display the DSM statistics page.


Note If the user, group, or VPDN is bound to a PoP, and you want to reset the PoP-related statistics, first click the PoP Bindings button and then click the Counter Statistics button on the PoP whose statistics you want to reset.


Step 3 Click the Reset Group Statistics button.

All DSM statistics except the Current Value setting are reset to 0.



Note Even though the DSM statistics are reset to 0, any new DSM events that occur between the time the reset is executed and the statistics are redisplayed will be reflected in the new statistics.


Resetting the Distributed Sessions Counter for Users, Groups, or VPDNs


Note This section describes features available if the customer installs CiscoSecure with the optional DSM module licensed and enabled. For a description of max sessions support available without the DSM module installed, see the "Limited-Feature Max Sessions Support" section.


In case the DSM Current Value count fails to decrement for a user, group, or VPDN, you can reset the Current Value of its distributed sessions count to zero, in order to avoid the distributed sessions counter from refusing login attempts due to a false Current Value count.


Step 1 Click the DSM>Counters menu option, click Users, Groups, or VPDNs, then click the user, group, or VPDN whose session manager you want to reset.

Step 2 Click Counter Maintenance to display the DSM statistics page.


Note If the user, group, or VPDN is bound to a PoP, and you want to reset the PoP-related sessions counter, first click the PoP Bindings button and then click the Counter Maintenance button on the PoP whose sessions counter you want to reset.


Step 3 Click the Reset to Zero button.

The Current Value setting is reset to "0."


Note Resetting a group counter to 0 only affects the Current Value for that group. The Current Value of any of its parent groups will not decrement; however, resetting a user counter to 0 causes the Current Value of its group and any of its parent groups to decrement by the number of sessions that user was running at the time of the reset.



Note Even though the DSM statistics are reset to 0, any new DSM sessions that occur between the time the reset is executed and the statistics are redisplayed will be reflected in the new Current Value setting.


Resetting DSMs for a DSM Authority


Note This section describes features available if the customer installs CiscoSecure with the optional DSM module licensed and enabled. For a description of max sessions support available without the DSM module installed, see the "Limited-Feature Max Sessions Support" section.


In case of system-wide network disruption, it might be necessary to carry out a widespread reset of configured user, group, and VPDN counters in order to prevent massive user lockout. The full-featured DSM-based max sessions package provides a means to reset all users, groups, and VPDNs associated with a single DSM Authority.


Caution A DSM Authority-wide reset of DSMs should only be carried out in emergency situations. If numerous users and groups, potentially 100,000 or more, are assigned to a DSM Authority, resetting their counters could take hours and tie up the server's system resources, severely disrupting a production network.


Step 1 Click the DSM>Authorities menu option and click the DSM Authority whose assigned user, group, VPDN, and PoP counters you need to reset.

Step 2 Click the Zero All Counters button and click Yes to the warning and confirmation query "Are you sure?"

The sessions count for all users, groups, and VPDNs on all DSMs associated with the current DSM Authority is set to "0."

If new user, group, or VPDN sessions are started during the reset process, their number will be reflected in the appropriate counters after the DSM Authority-wide reset is complete.

Displaying DSM Authority Statistics


Note This section describes features available if the customer installs CiscoSecure with the optional DSM module licensed and enabled. For a description of max sessions support available without the DSM module installed, see the "Limited-Feature Max Sessions Support" section.


Displaying DSM Authority Statistics allows you to view and list the DSM rejection and oversubscription statistics for all CiscoSecure units (users, groups, and VPDNs) associated with a common DSM Authority.


Step 1 Click the DSM>Authorities menu option to display the existing DSM Authorities, then click the desired Authority.

Step 2 Click to view the desired statistics:

To view statistics on the total refusals by all objects associated with the selected authority, click View Rejections.

Records for all users, groups, or VPDNs that recorded a login refusal (due to max sessions limitations) are displayed on the "Distributed Session Manager Authority Statistics - Rejections" page.

To view statistics on the total oversubscriptions by all objects associated with the selected authority, click View Oversubscriptions.

Records for all users, groups, or VPDNs that recorded session oversubscriptions are displayed on the "Distributed Session Manager Authority Statistics - Oversubscriptions" page.

In either case, the record for each object includes the following information:

Counter—The name of the user, group, or VPDN where the login rejection or oversubscription occurred.

Type—The type of counter (user, group, or VPDN).

Max Sessions—The current max sessions limitation for the listed user, group, or VPDN.

Current Value—The current number of active sessions being run for the listed user, group, or VPDN.

Rejections—The total number of login rejections (due to max sessions limits) that have been recorded for the listed user, group, or VPDN since the last time the DSM statistics were reset, or the last time the DSM Authority was restarted.

Oversubscriptions—The total number of sessions in excess of the max sessions limit that have been recorded for the listed user, group, or VPDN since the last time the DSM statistics were reset, or the last time the DSM Authority was restarted.

Largest Oversubscriptions—The largest number by which the max sessions limit was exceeded at the listed user, group, or VPDN since the last time the DSM statistics were reset, or the last time the DSM Authority was restarted.

Largest Subscriptions—The largest number of concurrent sessions that have been opened at any one time for the listed user, group, or VPDN since the last time the DSM statistics were reset, or the last time the DSM Authority was restarted.

Quickly Finding and Viewing DSM Information for a Specific User, Group, VPDN, or PoP


Note This section describes features available if the customer installs CiscoSecure with the optional DSM module licensed and enabled. For a description of max sessions support available without the DSM module installed, see the "Limited-Feature Max Sessions Support" section.


If you want to view or edit max sessions information for a specific user, group, VPDN or PoP group, you can use the DSM>View option to access that object's DSM information directly without having to browse through the View Groups, View VPDNs, or View Users pages.

This is especially useful if you manage a large profile database and the DSM View Groups, View VPDNs, or View Users pages could list thousands of profiles.


Step 1 Click the DSM>View menu option to display the View page.

Step 2 In the View page, specify the type of object whose max sessions you want to manage: User, Group, Authority, or PoP.


Note A VPDN is either a User type or a Group type, because VPDN objects are simply user or group profiles that have been assigned the protocol (vpdn) attribute.


Step 3 Enter the name of the DSM object you want to find and click Submit Query.

The DSM settings for the object you specified appear for your editing.

Limited-Feature Max Sessions Support

If the customer has installed the CiscoSecure ACS 2.3 for UNIX package that is not licensed for DSM support, some limited user and group level max sessions support is still available if the administrator has selected and enabled the non-Distributed AAA or non-Distributed DBServer option for the Max Sessions Enabled setting in the CiscoSecure Administrator AAA>General web page.

For details on enabling limited AAA server-based or DBServer-based max sessions control, see the "Enabling Max Sessions Control" section.

Limitations of Non-DSM-based Max Sessions Management

Without the optional CiscoSecure DSM module licensed or enabled, the system administrator can still use the Java-based CiscoSecure Administrator advanced configuration program to specify max sessions limitations per user and apply this limitation to a single user or to all users in a group; however, the following limitations also apply:

No DSM web page support—The system administrator cannot access the DSM web pages of the CiscoSecure Administrator.

No fine-tuning options—Settings such as High Performance Threshold, Error Policy, or Unbound PoP policy are not available.

No separate sessions managing module—Max sessions limits are enforced either by the CiscoSecure AAA server module or the DBServer module, possibly slowing down overall authentication performance by the CiscoSecure ACS.

No per group or per PoP session limitations—No max sessions limits can be specified per group or per PoP group.

Assigning a Limited-Feature Max Sessions Limit


Note This section describes operations that support the limited set of max sessions features available if the customer has not installed or enabled the optional CiscoSecure Distributed Sessions Manager (DSM) module. If you have the DSM module installed and enabled, information in this section does not apply.


Even with limited-feature max sessions support, the system administrator can still configure individual CiscoSecure user max sessions settings:


Step 1 Make sure that the Max Sessions Enabled field in the CiscoSecure Administrator AAA>General web page is set to either non-Distributed AAA or non-Distributed DBServer.

Step 2 Start the Java-based CiscoSecure Administrator advanced configuration program.

Step 3 In the Members page, clear the Browse check box and select the group or user whose per member sessions you want to limit.

Step 4 In the Profile pane, click the profile icon, then in the Options menu, select Profile Attributes, and click Apply.

Step 5 Back in the Profile pane, Click the Profile Attributes icon, then in the Options menu, select server max-sessions.

Step 6 In the Numeric value field, specify the maximum number of sessions to allow per user (for example, server max-sessions = 9) and click Apply.

Step 7 Click Submit to save the setting:

If this setting is specified for a group, it applies to all members of that group who do not have a specific max sessions limit specified for themselves.

If this setting is specified for an individual user, it applies to that user alone.

If this setting is specified for a group and the absolute property is enabled, it applies to all members of that group and overrides any conflicting max sessions limits that have been specified for individual users.

Managing High-Performance Max Sessions Checking through ms_util


Note Information in this section applies only if you have implemented AAA server-based max sessions checking as described in the "Enabling Max Sessions Control" section. It does not apply if you implemented DBServer-based or DMS-based max sessions control as described in that same section.


The ms_util tool provides a menu and prompt-driven method for the system administrator to manage a High-Performance, AAA server-based implementation of max sessions checking. Using ms_util, the administrator can browse max sessions information for current active sessions and delete active sessions records from the AAA server-based max sessions counter.

Before executing the delete operations, the system administrator can store the delete commands in an editable file of queued delete commands.

Viewing Active Sessions


Note Information in this section applies only if you have implemented AAA server-based max sessions checking as described in the "Enabling Max Sessions Control" section. It does not apply if you implemented DBServer-based or DMS-based max sessions control as described in that same section.


To view the max sessions counter records of active sessions:


Step 1 Start the ms_util utility.

Go to the $BASEDIR/MaxSessions_utils directory and enter:

./ms_util

Step 2 In the Main menu, select 1 to view the current active sessions.

Step 3 In the View menu, enter the number for one of the following options:

Table 7-8 Number and Option

Number and Option
Description

1 browse-users

Displays a numbered, alphanumerically ordered list of all active user sessions, by username (10 entries displayed per screen, numbered 0-9). In addition to username each record also includes: NAS, session number, session length, and start time.

If necessary, enter n to view the next 10 active user sessions, or enter b to view the previous 10 active user sessions.

To view all sessions of a specific user, enter one of the numbered listing (0-9) of that user.

2 view-user

Displays all the active sessions of a specific user.

Enter the name of the user whose sessions you want to view.

3 browse-nas

Displays a numbered, alphanumerically ordered list of all NASes with active user sessions (maximum 10 entries per screen, numbered 0-9).

If necessary, enter n to view the next 10 NASes with active user sessions, or enter b to view the previous 10 NASes with active user sessions.

To view all active user sessions run through a particular NAS, enter the numbered listing (0-9) of that NAS.

Then, if necessary, you can enter n or b to page forward or backward through the active user sessions listings, or

View all active sessions of a specific user by entering the numbered listing (0-9) of that user.

4 view-nas

Displays all the active sessions of a specific NAS.

Enter the name of the NAS whose active user sessions you want to view.

Then, if necessary, you can enter n or b to page forward or backward through the active user sessions listings, or

View all active sessions of a specific user by entering the numbered listing (0-9) of that user.

5 refresh

Updates the current screen of information.


Step 4 The max sessions counter active sessions records are displayed in a format similar to the following example:

--------------------------------------------------------------------

-Users with active sessions as of Wed Feb 11 10:20:00 1998-

User Nas Session Active Start

0) user100 nas1.com 110 00:11 Wed Feb 11 10:09:00 1998
1) user102 nas1.com 1011 01:15 Wed Feb 11 09:05:12 1998

--------------------------------------------------------------------

The preceding example indicates that user100 logged on to nas1.com at 10:09 a.m. and the session has been active for 11 minutes; user102 logged in at 9:05 a.m. and this session has been active for 1 hour and 15 minutes.


Deleting Active Sessions Records


Note Information in this section applies only if you have implemented AAA server-based max sessions checking as described in the "Enabling Max Sessions Control" section. It does not apply if you implemented DBServer-based or DMS-based max sessions control as described in that same section.


To delete the records of active sessions from the AAA server-based max sessions counter:


Note The Delete options described here do not actually end active sessions; they merely remove records of current active sessions from the AAA server-based max sessions counter. Use these delete options only in situations where you know sessions have ended but for some reason have not been decremented in the max sessions counter.



Step 1 Start the ms_util utility.

Go to the $BASEDIR/MaxSessions_utils directory and enter:

./ms_util

Step 2 In the Main menu, enter 2 to delete active sessions.

Step 3 In the Delete menu, enter the number for one of these options:

Table 7-9 Number and Option

Number and Option
Description

1 delete-user

Clears all records in the max sessions counter of current sessions associated with a specific user.

Enter the username.

or

Press Enter to browse the records of active user sessions.

To browse the entire active user sessions list, enter 1. If necessary, enter n to view the next 10 records of active user sessions, or enter b to view the previous 10 records of active user sessions. To clear active sessions records for a particular user, (1) enter a numbered listing (0-9) of that user to display all that user's active sessions (2) enter the numbered listing (0-9) to delete a particular session, or (3) enter all to delete all sessions belonging to that user.

To browse the records of active user sessions on a particular NAS, enter 2. If necessary, enter n to view the next 10 NASes with active user sessions, or enter b to view the previous 10 NASes with active user sessions. To view all active user sessions run through a particular NAS, enter the numbered screen listing (0-9) of that NAS. Then, if necessary, you can enter n or b to page forward or backward through the active user sessions listings. To clear active sessions records for a particular user, (1) enter a numbered listing (0-9) of that user to display all that user's active sessions (2) enter the numbered listing (0-9) to delete a particular session, or (3) enter all to delete all sessions belonging to that user.

2 clear-nas

Clears all records in the max sessions counter of current sessions associated with a specific NAS.

Enter the NAS name.

or

Press Enter to browse the NASes with records of active user sessions.

If necessary, enter n to view the next 10 NASes with records of active user sessions, or enter b to view the previous 10 NASes with records of active user sessions.

To clear a particular NAS of all records of active user sessions, enter the numbered listing (0-9) of that NAS.

3 clear-all

Clears all records of active sessions from the max sessions counter. The max sessions count of all users is set to zero.

4 refresh

Updates the current screen of information.


Step 4 After entering the options in Step 3, press Enter to place your Delete operation in the job request queue. You return to the Main menu.

Step 5 If you have other delete operations to carry out, repeat Steps 2, 3, and 4.

Step 6 After specifying all the Delete operations you want carried out, enter 6 in the Main menu to execute the Delete commands in your job queue.



Note Placing all your Delete operations in a queue and executing them at once saves processing time on the AAA server.


Managing Max Sessions Counting through the ms_util Command Line


Note Information in this section applies only if you have implemented AAA server-based max sessions checking as described in the "Enabling Max Sessions Control" section. It does not apply if you implemented DBServer-based or DMS-based max sessions control as described in that same section.


You can add switches to the ./ms_util command-line string and carry out the delete operations described in "Deleting Active Sessions Records" in command-line mode.


Note The Delete operations described here do not actually end active sessions; they merely remove records of current active sessions from the AAA server-based max sessions counter. Use these delete operations only in situations where you know sessions have ended but for some reason have not been decremented in the max sessions counter.


If you want to carry out ms_util deletions in command-line mode, the syntax is:

./ms_util [-u user_id, nas _id, session_id] [-n nas_id] [-e]

The command-line switch options and parameters are explained in Table 7-10.

Table 7-10 Command-Line Switch Options

Switch
Description

-u

Deletes one specified record of an active session in the max sessions counter associated with a specific user. The -u switch is specified with the following parameters:

./ms_util -u user_id, nas_id, session_id

where:

user_id is the name of the user whose active sessions records you want to delete.

nas_id is the name of the NAS through which the user whose active session record you want to delete has logged on.

session_id is the NAS-assigned session identification number of the session whose record you want to delete. This is the number displayed when you run ms_util to carry out the browse and view operations described in the "Viewing Active Sessions" section. For example:

To delete session 103 of user john from NAS ciscoNAS, enter:

./ms_util -u john,ciscoNAS,103

-n

Deletes all records of active sessions in the max sessions counter associated with a specific NAS. The -n switch is specified with the following parameter:

./ms_util -n nas_id

where nas_id is the name of the NAS whose active session records you want to delete from the max sessions counter. For example:

To clear all sessions from NAS ciscoNAS, enter:

./ms_util -n ciscoNAS

-e

Deletes all records of active sessions from the max sessions counter. The max sessions count of all users is set to zero. For example:

To clear the entire max sessions counter, enter:

./ms_util -e


Specifying Multiple Delete Operations on a Single ms_util Command Line


Note Information in this section applies only if you have implemented AAA server-based max sessions checking as described in the "Enabling Max Sessions Control" section. It does not apply if you implemented DBServer-based or DMS-based max sessions control as described in that same section.


Multiple delete operations can be specified on a single ms_util command-line. For example, the following ms_util command-line will delete session 103 of user john from NAS ciscoNAS, session 104 of user joe from NAS nasTWO, and clear all sessions from NAS nasTHREE:

./ms_util -u john,ciscoNAS,103 -u joe,nasTWO,104 -n nasTHREE

This is more efficient than running ms_util three times to perform the three deletes.

Cisco strongly recommends using the Max Sessions Enabled field in the CiscoSecure Administrator AAA General web page to enable or disable the various types of max sessions control as described in Chapter 6, "Limiting and Tracking Sessions Per User, Group, or VPDN" in the CiscoSecure ACS 2.3 for UNIX User Guide.

Alternatively, if you do not have access to a web browser, you can enable or disable max sessions control by editing the CSU.cfg and CSConfig.ini configuration files. In the $BASEDIR/config directory of your CiscoSecure ACS for UNIX server, edit your CSU.cfg and CSConfig.ini files as specified in Table 7-11 to enable the DSM or other supported types of max sessions control.


Caution If you edit the CSU.cfg and CSConfig.ini files, make sure that when you enable one type of max sessions control that you also disable all other types of max sessions control. Enabling the settings for one type of max sessions control in Table 7-11 without disabling the settings for the other types of max sessions control can cause extremely slow authentication performance and out-of-memory errors.

Table 7-11 Max Sessions Enabling or Disabling CSU.cfg and CSConfig.ini Settings

Enabling this Type of Max Sessions:
Requires These
CSU.cfg Settings:
And Requires These
CSConfig.ini Settings:

None (all max sessions control disabled)

config_maxsessions_enable = 0

config_distmaxsessions_enable = 0

These settings disable AAA1 server and DSM max sessions control.

ProcessInMemoryMaxSessionInfo = disable

ArchiveMaxSessionInfoToDB = disable

These settings disable DBServer-based max sessions control.

Distributed Session Manager (DSM)2

config_maxsessions_enable = 0

config_distmaxsessions_enable = 1

These settings disable AAA server-based max sessions control and enable the DSM.

ProcessInMemoryMaxSessionInfo = disable

ArchiveMaxSessionInfoToDB = disable

These settings disable DBServer-based max sessions control.

DBServer-based max sessions control
(default setting)

config_maxsessions_enable = 0

config_distmaxsessions_enable = 0

These settings disable AAA server-based max sessions control and the DSM.

ProcessInMemoryMaxSessionInfo = enable

ArchiveMaxSessionInfoToDB = enable

These settings enable DBServer-based max sessions control.

AAA server-based max sessions control

config_maxsessions_enable = 1

config_distmaxsessions_enable = 0

These settings enable AAA server-based max sessions control and disable the DSM.

ProcessInMemoryMaxSessionInfo = disable

ArchiveMaxSessionInfoToDB = disable

These settings disable DBServer-based max sessions control.

1 AAA = authentication, authorization and accounting.

2 DSM-based session control can only take effect if the optional DSM module has been licensed for this installation of CiscoSecure ACS 2.3 for UNIX.


Step 7 After making the above settings, stop and restart CiscoSecure ACS to make sure that all the above settings take effect:

Log in as [root] to the UltraSPARC workstation where you installed CiscoSecure ACS. To stop CiscoSecure ACS, enter:

# /etc/rc0.d/K80CiscoSecure

To restart CiscoSecure ACS, enter:

# /etc/rc2.d/S80CiscoSecure



Note All forms of max sessions control require that the AAA accounting functions be enabled in the client NASes.



hometocprevnextglossaryfeedbacksearchhelp

Posted: Wed Feb 16 10:12:19 PST 2005
All contents are Copyright © 1992--2005 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.