Limiting User Sessions in Junos Space
Using Junos Space Network Management Platform, you can configure the maximum number of concurrent UI sessions that are allowed for each user, both globally and at the individual user level, which can help you improve system performance.
When this limit is configured, any login attempt from the GUI
is validated against this limit and the user is prevented from logging
in if the concurrent user sessions limit is reached for that user.
The user is notified with the following message:
You are not allowed to login since your sessions exceed the configured limit.
The audit log entry also includes the reason for login failure:
Login Failed. Maximum concurrent user session limit is reached.
In Junos Space Platform, you can configure a global concurrent UI sessions limit that is applicable to all users. However, if you have a user-level configuration limit for a specific user, then this configuration limit takes precedence over the global configuration limit for users. For example, if you set the global limit to 5 and the user-level limit to 10 for user A, then user A is prevented from logging in at the eleventh attempt. However, if the global limit is set to 10 and the user-level limit is set to 5, then the user is rejected at the sixth login attempt.
In instances where you have the same user configured locally as well as remotely (that is, on the TACACS+ or RADIUS server), the concurrent UI sessions limit that is most restrictive takes effect. For example, if you have set the sessions limit to 1 in the TACACS+ server and to 2 in Junos Space Platform for user B, then user B is prevented from logging in at the second attempt. When the sessions limit is set to 2 in the TACACS+ server and to 1 in Junos Space Platform, you can see the same results of the user being rejected at the second attempt.
The concurrent user sessions limit does not apply if you are a super user and you are allowed to log in even when you have exceeded this limit.
Consider the following points while setting the concurrent user sessions limit:
Accessing the Junos Space GUI from two tabs of the same browser is considered a single session.
Accessing the GUI from an incognito tab is considered a separate session.
Accessing the GUI from another browser is considered a separate session.
Configuring Junos Space parameters by using APIs is not considered a session.
This topic provides information about how to set the global limit for concurrent UI sessions per user in Junos Space Platform. For more information about setting user-level limits for concurrent UI sessions for new and existing users, see Creating Users in Junos Space Network Management Platform and Modifying a User respectively.
To set the concurrent user sessions limit globally:
- On the Junos Space Platform UI, select Administration
The Applications page appears.
- Select Network Management Platform.
- Select Modify Application Setting from the
The Modify Network Management Platform Settings page appears.
- Click User.
- In the Maximum concurrent UI sessions per user field, enter the maximum number of concurrent UI sessions that should
be allowed per user.
By default, a user is allowed up to five concurrent UI sessions. You can enter a value from 0 through 999. A value of 0 (zero) means that there is no restriction on the number of concurrent UI sessions that are allowed per user. However, the system performance may be affected if you allow unlimited sessions.
- Click Modify to save the global limit for the number of concurrent UI sessions that should be allowed per user.
The changes that you make to the concurrent UI sessions limit (either at the global level or at the user level) do not affect existing sessions. That is, this limit is validated against the next user login only.
For troubleshooting, see the
/var/log/jboss/servers/server1/server.log file, which captures internal errors. Also, see the audit logs,
which capture the following information:
Configuration changes made by the administrator to the global concurrent UI sessions limit
The time at which the global configuration is overridden at the user level
The time at which the concurrent UI sessions limit is reached for a user