• Downloads
• Configuring Advanced Settings for the User-Role-Based Policy Feature    

• Related Topics
• Verifying Integration with an IC Series Unified Access Control Appliance
• scio const
• scio user

Configuring Advanced Settings for the User-Role-Based Policy Feature

In most cases, we recommend you retain the defaults for the user role-based policy feature. These settings have been made configurable to support varying requirements for different deployment challenges.

By default:

• The IDP appliance sends a maximum of five logs per second to Juniper Networks IC Series Unified Access Control appliances. You can modify this value.
• User role-based rules are not processed if the IDP appliance loses connectivity with the IC Series for 30 seconds. You can modify this value.
• The user session table that is populated by the IC Series appliance and maintained on the IDP Series appliance contains a maximum of 50,000 users. You can change the maximum.

To change the threshold where lost connectivity stops processing of user role-based rules:

1. Log into the CLI as admin and enter su - to switch to root.
2. Enter the following command to show the current value:
   
   

   [root@defaulthost admin]# scio const -s s0 get sc_ic_reconcile_timeout

   scio: sc_ic_reconcile_timeout = 0x1E

   The default is 30 seconds (0x1E).

3. Enter the following command to change this setting:
   
   

   [root@defaulthost admin]# scio const -s s0 set sc_ic_reconcile_timeout 180

   scio: sc_ic_reconcile_timeout = 0xB4

To change the maximum number of logs per second the IDP Series appliance sends to the IC Series appliance:

1. Log into the CLI as admin and enter su - to switch to root.
2. Enter the following command to show the current value:
   
   

   [root@defaulthost admin]# scio user logs throttle show

   5 Log(s)/Second.
   [root@defaulthost admin]#

3. Enter the following command to change the value:
   
   

   [root@defaulthost admin]# scio user logs throttle set 10

   IC-Log Throttle limit set to '10'.
   [root@defaulthost admin]#

To change the maximum number of users in the user session table:

1. Log into the CLI as admin and enter su - to switch to root.
2. Open the /usr/idp/device/bin/user_funcs file in a text editor, such as vi.
3. Locate the following line:
   
   

   export max_ic_users=50000
4. Edit the value for max_ic_users. Valid values are 1000 to 100,000.
5. Save the file and exit the editor.
6. Restart the IDP engine:
   
   

   [root@defaulthost admin]# idp.sh restart

   Restarting the IDP engine can take several moments.