Table of Contents
Advertisement
Parameters
seconds
Guidelines
Meaningful only if caching is enabled.
Related Commands
cache-allow
Examples
v Specifies a cache lifetime of 10 seconds for the current AAA Policy.
dos-valve
Limits the number of times to perform the same XML processing per user request.
Syntax
dos-valve repetitions
Parameters
repetitions
Guidelines
The dos-valve command limits the number of times to perform the same XML
processing per user request. XML processing includes encryption, decryption,
message signing, and signature validation. At this time, the AAA Policy supports
this setting in the following cases:
v Identity extraction when the method is Subject DN from Certificate in the
v Authentication when the method is Validate the Signer Certificate for a Digitally
When used with a value of 1, the AAA Policy extracts the first signature and its
first reference from the security header and ignores all other signatures or signing
references. If the security header contains more signatures or a single signature
contains more signing references, these signatures and signing references are
ignored. During signature verification, the processing fails if the needed signature
is not part of extracted identity.
For example if dos-valve is 2 and the needed information to verify the signature
was the third signing reference, the verification would fail. However if the
information was the second signing reference, the verification would succeed.
Specifies the number of seconds that authentication and authorization data
is retained in the policy cache. The default is 3.
# cache-ttl 10
#
Specifies the number of repetitions. Use a value in the range of 1 through
1000. The default is 3.
Message's signature (extract-identity command set to the signer-dn method).
Signed Message (the authorize command set to the validate-signer method).
Chapter 3. AAA Policy configuration mode
155
Advertisement
Table of Contents
