Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring Advanced Settings for the User-Role-Based Policy Feature

    In most cases, we recommend you retain the defaults for the user role-based policy feature. These settings have been made configurable to support varying requirements for different deployment challenges.

    By default:

    • The IDP Series device sends a maximum of five logs per second to Juniper Networks IC Series Unified Access Control appliances. You can modify this value.
    • User role-based rules are not processed if the IDP Series device loses connectivity with the IC Series for 30 seconds. You can modify this value.
    • The user session table that is populated by the IC Series appliance and maintained on the IDP Series device contains a maximum of 50,000 users. You can change the maximum.

    To change the threshold where lost connectivity stops processing of user role-based rules:

    1. Log into the CLI as admin and enter su - to switch to root.
    2. Enter the following command to show the current value:

      [root@defaulthost admin]# scio const -s s0 get sc_ic_reconcile_timeout
      scio: sc_ic_reconcile_timeout = 0x1E

      The default is 30 seconds (0x1E).

    3. Enter the following command to change this setting:

      [root@defaulthost admin]# scio const -s s0 set sc_ic_reconcile_timeout 180
      scio: sc_ic_reconcile_timeout = 0xB4

    To change the maximum number of logs per second the IDP Series device sends to the IC Series appliance:

    1. Log into the CLI as admin and enter su - to switch to root.
    2. Enter the following command to show the current value:

      [root@defaulthost admin]# scio user logs throttle show
      5 Log(s)/Second.
      [root@defaulthost admin]#
    3. Enter the following command to change the value:

      [root@defaulthost admin]# scio user logs throttle set 10
      IC-Log Throttle limit set to '10'.
      [root@defaulthost admin]#

    To change the maximum number of users in the user session table:

    1. Log into the CLI as admin and enter su - to switch to root.
    2. Open the /usr/idp/device/bin/user_funcs file in a text editor, such as vi.
    3. Locate the following line:

      export max_ic_users=50000
    4. Edit the value for max_ic_users. Valid values are 1000 to 100,000.
    5. Save the file and exit the editor.
    6. Restart the IDP engine:

      [root@defaulthost admin]# idp.sh restart

      Restarting the IDP engine can take several moments.


    Published: 2011-02-08