Applies To:

Show Versions Show Versions

Manual Chapter: AAA Session Variables
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

List of AAA session variables

Refer to these tables for all AAA authentication session variables and attributes.

AAA server session variables for access policy rules

You can authorize your users with user information provided by your authentication servers in the form of attributes. These attributes, converted into session variables, can be used to create rules.

Common session variables for all authentication methods.

Session Variable Description
session.logon.last.username Provides user credentials. The username string is stored after encrypting, using the system's client key.
session.logon.last.password Provides user credentials. The password string is stored after encrypting, using the system's client key.

Session variables for RADIUS

Session Variable Description
session.RADIUS.last.result Provides the result of the RADIUS authentication. The available values are:
  • 0: Failed
  • 1: Passed
session.RADIUS.last.attr.$attr_name $attr_name is a value that represents the user’s attributes received during RADIUS authentication. Each attribute is converted to separate session variables.
session.RADIUS.last.errmsg Displays the error message for the last login. If session.RADIUS.last.result is set to 0, then session.RADIUS.last.errmsg may be useful for troubleshooting purposes. Example: c76a50c0.session.RADIUS.last.errmsg 13 Access-Reject

Session variables for RSA Native SecurID

Session Variable Description
session.securid.last.result Provides the result of the RSA Native SecurID authentication. The available values are:
  • 0: Failed
  • 1: Passed

Session variables for Active Directory

Session Variable Description
session.ad.last.attr.$attr_name $attr_name is a value that represents the user’s attributes received from the Active Directory. Each attribute is converted to separate session variables.
session.ad.last.attr.primarygroup.$attr_name primarygroup.$attr_name is a value that represents the user’s group attributes received from the Active Directory. Each attribute is converted to separate session variables.
session.ad.last.authresult Provides the result of the Active Directory authentication. The available values are:
  • 0: Failed
  • 1: Passed
session.ad.last.queryresult Provides the result of the Active Directory query. The available values are:
  • 0: Failed
  • 1: Passed
session.ad.last.errmsg Displays the error message for the last login. If session.ad.last.authresult or session.ad.last.queryresult is set to 0, then session.ad.last.errmsg may be useful for troubleshooting purposes.

Session variables for LDAP

Session Variable Description
session.ldap.last.authresult Provides the result of the LDAP authentication. The available values are:
  • 0: Failed
  • 1: Passed
session.ldap.last.queryresult Provides the result of the LDAP query. The available values are:
  • 0: Failed
  • 1: Passed
session.ldap.last.attr.$attr_name $attr_name is a value that represents the user's attributes received during LDAP/query. Each attribute is converted to separate session variables.
session.ldap.last.errmsg Useful for troubleshooting, and contains the last error message generated for LDAP, for example aad2a221.ldap.last.errmsg.

Session variables for CRLDP

Session Variable Description
session.ldap.ssl.cert.whole Provides the client certificate received from the user in PAM format.
session.ssl.cert.certissuer Provides the issuer certificate of the client certificate in PAM format.
session.crldp.last.result Sets the result of the CRLDP authentication. The available values are:
  • 0: Failed
  • 1: Passed
session.crldp.last.status Sets the status of the authentication to Failed.

Session variables for TACACS+

Session Variable Description
session.tacasplus.last.acct.start_date; session.tacasplus.last.acct.start_time Provides TACACS+ accounting start time and date set by the accounting agent.
session.tacacsplus.last.acctresult Allows the accounting agent to set the available values to either of the following values:
  • 0: Failed
  • 1: Succeeds
session.tacacsplus.last.errmsgs Contains the error message string when the TACACS+ authentication or accounting fails.
session.tacacsplus.last.result Sets to 1 when authentication succeeds, or 0 when it fails.

Session variables for OCSP

Session Variable Description
session.ssl.cert.whole Provides the client certificate received from the user in PAM format.
session.ssl.cert.certissuer Provides the issuer certificate of the client certificate in PAM format.
session.ocsp.last.result Sets the result of the OCSP authentication. The available values are:
  • 0: Failed
  • 1: Passed
session.ocsp.last.status Sets the status of the authentication to Failed.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)