Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 HP-UX AAA Server A.06.00 Administration and Authentication Guide: HP-UX 11.0, 11i v1 > Chapter 5 Session Management

Session Limits
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

You can set session limits to control how long the user has access to the network, what services the user has access to, and how many active sessions the user may maintain on the network. Session limits are defined through A-V pairs. These limits can be enforced on a user-by-user or global basis.

Setting Limits on a User-by-User Basis

If the user profile does not currently exist, follow the appropriate procedure to create a new profile. If the user profile does exist, access the user profile from the text file or database that stores the profile.

Setting Timeout Values

If the user profile is stored in a AAA server users file (grouped by realm or the default file):

  1. Select the General tab from the User Attributes screen.

    Figure 5-4  The General Options on the User Attributes Screen

    The General Options on the User Attributes Screen

  2. Assign a Session Timeout value to limit how many seconds the user can access the service.

  3. Assign an Idle Timeout value to limit how many consecutive seconds of idle connection time can pass before the session is terminated.

If the user profile is stored in an LDAP LDIF file, add the following lines to the user profile:

aaaReply: Session-Timeout = Number-seconds
aaaReply: Idle-Timout = Number-seconds

Establishing a Filter

  1. Define the filter on your network device according to the hardware instructions. The filter definition should include a filter ID.

  2. Associate the user profile with the filter ID.

  • If the user profile is stored in a AAA server users file (grouped by realm or the default file), select the General tab from the User Attributes screen and specify the ID in the Filter ID field.

  • If the user profile is stored in an LDAP LDIF file, add the following line to the user profile:

    aaaReply: Filter-ID = value

Assigning Static IP Addresses

  • If the user profile is stored in a AAA server users file (grouped by realm or the default file), select the Framed tab from the User Attributes screen and then specify the static IP address for this user in the Framed IP Address field.

    Figure 5-5 The Framed Options on the User Attributes Screen

    The Framed Options on the User Attributes Screen

  • If the user profile is stored in an LDAP LDIF file, add the following line to the user profile:

    aaaReply: Filter-ID = value

Limiting Access Points (NAS-Port, NAS-ID, Calling-Station ID, and others)

You can control what connection point a user must use to access your network by restricting access to specific NASs or phone numbers.

If the user profile is stored in a AAA server users file (grouped by realm or the default file), assign values to the User Attributes fields that can limit access:

  • Assign a NAS Port value (under the General tab) to limit access to a specific dial-in connection identified by port.

  • Assign a NAS ID value (under the General tab) to limit access to a specific dial-in connection identified by NAS.

  • Assign a Calling-Station-ID value (under the Others tab) if the user must always access service from a single location (defined by a phone number).

Figure 5-6 The Others Options on the User Attributes Screen

The Others Options on the User Attributes Screen

If the user profile is stored in an LDAP LDIF file, add the following lines to the user profile:

aaaCheck: NAS-Port = Port-number
aaaCheck: NAS-ID = value
aaaCheck: Calling-Station-ID = Phone-number

Denying Access (Called-Station-ID and others)

You can deny users access through a connection point by adding deny items to the user profile.

  • If the user profile is stored in a AAA server users file (grouped by realm or the default file), select the Free tab from the User Attributes screen and then enter the following in the Check text box according to the limits you want to set:

    NAS-Port != Port-number
    NAS-ID != value
    Calling-Station-ID != Phone-number

Figure 5-7 The Free Options on the User Attributes Screen

The Free Options on the User Attributes Screen

  • If the user profile is stored in an LDAP LDIF file, add the following lines to the user profile:

    aaaCheck: NAS-Port = Port-number
    aaaCheck: NAS-ID = value
    aaaCheck: Calling-Station-ID = Phone-number

Limiting Simultaneous Sessions

You can limit the number of concurrent sessions a user can maintain when accessing your network. Before you can configure the simultaneous sessions limit for a user profile, you must identify the users realm in the servers configuration even if the user is not grouped by realm.

  1. Select from the Local Realms link from the Navigation Tree

  2. If the users realm is not already identified, follow the appropriate procedure to add a realm to the server configuration. If the realm is already configured, select the realm name from the Realms screen.

  3. In addition to completing the other required fields in the Realm Attributes screen, select the Yes radio button for Session Tracking.

  4. Save the realm.

  5. Access the user profile and set the simultaneous session limit.

  • If the user profile is stored in a AAA server users file (grouped by realm or the default file), select the Free tab from the User Attributes screen and then enter the following in the Check text box according to the limits you want to set.

    Simultaneous-Sessions = Max-number-sessions

  • If the user profile is stored in an LDAP LDIF file, add the following lines to the user profile:

    aaaCheck: Simultaneous-Sessions = Max-number-sessions

Setting Limits for Users on a Global Basis

Setting Limits for All User Profiles Grouped by Realms

You can set limits to all users if they are grouped by realm by modifying the DEFAULT profile in the default users file. The limits specified for the DEFAULT user profile are appended to all requests for all users that are grouped by realm.

  1. Access the Server Manager.

  2. Select the Users link from the Navigation Tree.

  3. From the Users screen, select the DEFAULT link.

  4. Assign values for session limits by follow the same procedures for setting limits to individual users stored in the users file.



Session Logs
  		 


Chapter 6 Access Devices and Proxies  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2003 Hewlett-Packard Development Company, L.P.