Cisco Cisco Clean Access 3.5
5-9
Cisco Clean Access Manager Installation and Administration Guide
OL-7044-01
Chapter 5 User Management: User Roles
Create User Roles
Max Sessions per
User Account
User Account
(Case-Insensitive)
The Max Sessions per User Account option (3.5.1 and above) is intended to
allow administrators to limit the number of concurrent machines that can use the
same user credentials. The feature allows you to restrict the number of login
sessions per user to a configured number. If the online login sessions for a
username exceed the value specified (1 – 255; 0 for unlimited), the web login
page or the Clean Access Agent will prompt the user to end all sessions or end
the oldest session at the next login attempt.
allow administrators to limit the number of concurrent machines that can use the
same user credentials. The feature allows you to restrict the number of login
sessions per user to a configured number. If the online login sessions for a
username exceed the value specified (1 – 255; 0 for unlimited), the web login
page or the Clean Access Agent will prompt the user to end all sessions or end
the oldest session at the next login attempt.
The Case-Insensitive checkbox (3.5.6 and above) allows the administrator to
allow/disallow case-sensitive user names towards the max session count. For
example, if the administrator chooses to allow case-sensitivity (box unchecked;
default), then
allow/disallow case-sensitive user names towards the max session count. For
example, if the administrator chooses to allow case-sensitivity (box unchecked;
default), then
jdoe
,
Jdoe
, and
jDoe
are all treated as different users. If the
administrator chooses to disable case-sensitivity (box checked), then
jdoe
,
Jdoe
,
and
jDoe
are treated as the same user.
Note
3.5(5) Cisco Clean Access systems and below are case-sensitive and will
consider user “johndoe” as different from “JohnDoe.” A backend
authentication server (e.g. RADIUS) must still be capable of rejecting
“JohnDoe” as a user. If the RADIUS server accepts it and authenticates
the user, Cisco Clean Access will consider it a different user.
consider user “johndoe” as different from “JohnDoe.” A backend
authentication server (e.g. RADIUS) must still be capable of rejecting
“JohnDoe” as a user. If the RADIUS server accepts it and authenticates
the user, Cisco Clean Access will consider it a different user.
Retag Trusted-side
Traffic with VID
(In-Band) / Role
VLAN
(Out-of-Band)
Traffic with VID
(In-Band) / Role
VLAN
(Out-of-Band)
The VLAN ID (VID) information entered in this field is used differently
depending on whether the Clean Access Server is deployed in-band or
out-of-band.
depending on whether the Clean Access Server is deployed in-band or
out-of-band.
In-Band Configuration—Retag Trusted-side Traffic with VID (In-Band)
When the CAS is deployed inline with traffic, the value entered in this field is
used to retag user traffic as it exits the trusted side of the CAS. Hence, for
example, if two users connect to the same Access Point with the same SSID,
depending on their roles, their traffic can be tagged with different VLAN IDs as
their traffic flows through the CAS to the trusted side of the network (see
used to retag user traffic as it exits the trusted side of the CAS. Hence, for
example, if two users connect to the same Access Point with the same SSID,
depending on their roles, their traffic can be tagged with different VLAN IDs as
their traffic flows through the CAS to the trusted side of the network (see
Type a value in this field to assign a VLAN ID (VID) to outgoing traffic from
users in the role. Incoming traffic with the VID value is reassigned the value
originally used by the role, if any. For in-band configuration, trusted-side VID
retagging is only performed in Real-IP and NAT Gateway modes. In-band Virtual
Gateways do not perform VLAN retagging based on role assignment.
users in the role. Incoming traffic with the VID value is reassigned the value
originally used by the role, if any. For in-band configuration, trusted-side VID
retagging is only performed in Real-IP and NAT Gateway modes. In-band Virtual
Gateways do not perform VLAN retagging based on role assignment.
Table 5-1
Role Properties (continued)
Control
Description