This feature prevents having more than a configurable number of concurrent sessions. The default value is set to 0, which means the concurrent session check is bypassed. Additional logins are prevented if the maximum concurrent session count has been reached. Beyond this, the user can log in using shell --clear-sessions which will invalidate all the active sessions.
The administrator controls this feature through NSX Advanced Load Balancer CLI or REST API. The setting for it is maintained within the UserAccountProfile object. By default, all the users in the system are attached to Default-User-Account-Profile, as shown below. The admin can create a new user account profile with different thresholds if required.
admin:10-10-24-52]: > show useraccountprofile Default-User-Account-Profile +-------------------------------+---------------------------------------------------------+ | Field | Value | +-------------------------------+---------------------------------------------------------+ | uuid | useraccountprofile-6753548e-7ac5-4601-939b-ad4394405db4 | | name | Default-User-Account-Profile | | max_password_history_count | 0 | | max_login_failure_count | 20 | | account_lock_timeout | 30 | | max_concurrent_sessions | 0 | | credentials_timeout_threshold | 0 | +-------------------------------+---------------------------------------------------------+ To change the maximum number of concurrent sessions: [admin:10-10-24-52]: > configure useraccountprofile Default-User-Account-Profile Updating an existing object. Currently, the object is: [admin:10-10-24-52]: useraccountprofile> max_concurrent_sessions 5 Overwriting the previously entered value for max_concurrent_sessions [admin:10-10-24-52]: useraccountprofile> save +-------------------------------+---------------------------------------------------------+ | Field | Value | +-------------------------------+---------------------------------------------------------+ | uuid | useraccountprofile-6753548e-7ac5-4601-939b-ad4394405db4 | | name | Default-User-Account-Profile | | max_password_history_count | 0 | | max_login_failure_count | 20 | | account_lock_timeout | 30 | | max_concurrent_sessions | 5 | | credentials_timeout_threshold | 0 | +-------------------------------+---------------------------------------------------------+
If the threshold has been reached, the user can choose to invalidate existing sessions using the --clear-sessions option of the shell command.
root@10-10-24-52:/home/admin# shell Login: admin Password:
Maximum concurrent session count has been reached. Clear the sessions using shell –clear-sessions
root@10-10-24-52:/home/admin/# shell –clear-sessions Login: admin Password: [admin:10-10-24-52]: >
The sessions are considered invalid when one of the following is observed:
The user’s UI session(s) end, and a login screen is displayed.
The user’s CLI sessions will end with no indication on-screen. The next command typed will trigger the re-validation of a new CLI session, and the command will be executed.
A REST API user’s next API call will fail to validate. Or, if the REST API user is executing calls within a session, the session is ended.
