June 30, 2006

Appendix A: SG-1Vendor-Specific Attributes

user:max-allowed-sessions sub-attribute

The user:max-allowed-sessions sub-attribute defines the maximum number of sessions allowed in a single blade per username. When the system receives this attribute in the authentication process, it checks for the number of concurrent sessions containing the authenticated user-name. If the number of sessions including the current authenticated one, exceeds the number of allowed sessions the system rejects the new incoming session, causing an immediate disconnection.

General:

Operation Mode:

Access-Accept message

Vendor-type: 20

Vendor-length = 2 + 4 + attribute-name length

Format:

adc-avpair = "user:max-allowed-sessions=<maximum number of sessions per blade>",

Example:

adc-avpair = "user:max-allowed-sessions=1",

user:class sub-attribute

The user:class sub-attribute contains the user class information, a string of maximum size of 256 characters. It is available to be sent by the Radius server to the system in an Access-Accept or Service-Accept messages. The system sends it unmodified to the Radius server as part of the Authentication and Accounting-Requests packets. The user:class sub-attribute operates in hierarchy mode and supports both user and service levels. When received in service authentication, it operates only in the service lifetime and being reset while service is changing. When received in user authentication, it operates during the whole session lifetime.

General:

Operation Mode:

Access-Accept message

 

Service-Request message

 

Service-Accept message

Accounting on, off, start and stop messages, interim

Vendor-type: 21

Vendor-length = 2 + (1-256) + attribute-name length

Format:

adc-avpair = "user:class=<user class data>",

Example:

adc-avpair = "user:class=belong to security group",

SG1-UM-8500-03

A-13

Page 171
Image 171
ADC SG-1 Usermax-allowed-sessions sub-attribute, Adc-avpair = usermax-allowed-sessions=1, Userclass sub-attribute