You can authorize users with user information provided by your authentication servers in
the form of attributes. These attributes, converted into session variables, can be used to create
rules.
Common session variables for all authentication methods.
Session Variable |
Description |
session.logon.last.username |
Provides user credentials. The username string is stored after
encrypting, using the system's client key. |
session.logon.last.password |
Provides user credentials. The password string is stored after
encrypting, using the system's client key. |
Session variables for RADIUS
Session Variable |
Description |
session.RADIUS.last.result |
Provides the result of the RADIUS authentication. The available values are:
|
session.RADIUS.last.attr.$attr_name |
$attr_name is a value that represents the user’s attributes
received during RADIUS authentication. Each attribute is converted to separate session
variables. |
session.RADIUS.last.errmsg |
Displays the error message for the last login. If
session.RADIUS.last.result is set to 0, then
session.RADIUS.last.errmsg may be useful for troubleshooting purposes.
Example: c76a50c0.session.RADIUS.last.errmsg 13 Access-Reject
|
Session variables for RSA Native SecurID
Session Variable |
Description |
session.securid.last.result |
Provides the result of the RSA Native SecurID authentication. The available values are:
|
Session variables for Active Directory
Session Variable |
Description |
session.ad.last.attr.$attr_name |
$attr_name is a value that represents the user’s attributes
received from the Active Directory. Each attribute is converted to separate session
variables. |
session.ad.last.attr.primarygroup.$attr_name |
primarygroup.$attr_name is a value that represents the user’s
group attributes received from the Active Directory. Each attribute is converted to separate
session variables. |
session.ad.last.actualdomain |
AD Auth agent sets this variable to the actual user domain used for successful Active
Directory authentication, whether cross-domain support is enabled or disabled. |
session.ad.last.authresult |
Provides the result of the Active Directory authentication. The available values are:
|
session.ad.last.queryresult |
Provides the result of the Active Directory query. The available values are:
|
session.ad.last.errmsg |
Displays the error message for the last login. If
session.ad.last.authresult or
session.ad.last.queryresult is set to 0, then
session.ad.last.errmsg may be useful for troubleshooting purposes.
|
Session variables for LDAP
Session Variable |
Description |
session.ldap.last.authresult |
Provides the result of the LDAP authentication. The available values are:
|
session.ldap.last.queryresult |
Provides the result of the LDAP query. The available values are:
|
session.ldap.last.attr.$attr_name |
$attr_name is a value that represents the user's attributes
received during LDAP/query. Each attribute is converted to separate session
variables. |
session.ldap.last.errmsg |
Useful for troubleshooting, and contains the last error message generated for LDAP, for
example aad2a221.ldap.last.errmsg. |
Session variables for CRLDP
Session Variable |
Description |
session.ldap.ssl.cert.whole |
Provides the client certificate received from the user in PAM format. |
session.ssl.cert.certissuer |
Provides the issuer certificate of the client certificate in PAM format. |
session.crldp.last.result |
Sets the result of the CRLDP authentication. The available values are:
|
session.crldp.last.status |
Sets the status of the authentication to Failed. |
Session variables for TACACS+
Session Variable |
Description |
session.tacasplus.last.acct.start_date;
session.tacasplus.last.acct.start_time |
Provides TACACS+ accounting start time and date set by the accounting agent. |
session.tacacsplus.last.acctresult |
Allows the accounting agent to set the available values to either of the following
values:
|
session.tacacsplus.last.errmsgs |
Contains the error message string when the TACACS+ authentication or accounting
fails. |
session.tacacsplus.last.result |
Sets to 1 when authentication succeeds, or 0 when it fails. |
Session variables for OCSP
Session Variable |
Description |
session.ssl.cert.whole |
Provides the client certificate received from the user in PAM format. |
session.ssl.cert.certissuer |
Provides the issuer certificate of the client certificate in PAM format. |
session.ocsp.last.result |
Sets the result of the OCSP authentication. The available values are:
|
session.ocsp.last.status |
Sets the status of the authentication to Failed. |