Session management using resource managers – Cisco Cisco Access Registrar 3.5 User Manual

Page 21

background image


Cisco Access Registrar 3.5 Concepts and Reference Guide


Chapter 2 Understanding Cisco Access Registrar

Cisco Access Registrar Hierarchy

For example, to use Services for authentication:

When you want the authentication to be performed by the Cisco Access Registrar RADIUS server,
you can specify the local service. In this, case you must specify a specific UserList.

When you want the authentication performed by another server, which may run an independent
application on the same or different host than your RADIUS server, you can specify either a radius,
ldap, or tacacs-udp service. In this case, you must list these servers by name.

When you have specified more than one authentication service, Cisco Access Registrar determines
which one to use for a particular Access-Request by checking the following:

When an incoming script has set the Environment dictionary variable Authentication-Service with
the name of a Service, Cisco Access Registrar uses that service.

Otherwise, Cisco Access Registrar uses the default authentication service. The default
authentication service is a property of the Radius object.

Cisco Access Registrar chooses the authentication service based on the variable
Authentication-Service, or the default. The properties of that Service, specify many of the details of
that authentication service, such as, the specific user list to use or the specific application (possibly
remote) to use in the authentication process.

For more information about Services, refer to Access Registrar Server Objects in the Cisco Access
Registrar User’s Guide

Session Management Using Resource Managers

Cisco Access Registrar lets you track user sessions, and/or allocate dynamic resources to users for the
lifetime of their session. You can define one or more Session Managers, and have each one manage the
sessions for a particular group or company.

Session Managers use Resource Managers, which in turn manage resources of a particular type as
described below.

IP-Dynamic—manages a pool of IP addresses and allows you to dynamically allocate IP addresses
from that pool

IP-Per-NAS-Port—allows you to associate ports to specific IP addresses, and thus ensure each NAS
port always gets the same IP address

IPX-Dynamic—manages a pool of IPX network addresses

Group-Session-Limit—manages concurrent sessions for a group of users; that is, it keeps track of
how many sessions are active and denies new sessions once the configured limit has been reached

User-Session-Limit—manages per-user concurrent sessions; that is, it keeps track of how many
sessions each user has and denies the user a new session once the configured limit has been reached

USR-VPN—manages Virtual Private Networks (VPNs) that use USR NAS Clients.

For more information about Session Managers, refer to Access Registrar Server Objects in the Cisco
Access Registrar User’s Guide

If necessary, you can create a complex relationship between the Session Managers and the Resource

When you need to share a resource among Session Managers, you can create multiple Session Managers
that refer to the same Resource Manager. For example, if one pool of IP addresses is shared by two
departments, but each department has a separate policy about how many users can be logged in