https://community.cisco.com/t5/network-access-control/setting-remote-access-vpn-idle-timeout-via-secure-acs-server/m-p/1340764#M373280 <HTML><HEAD></HEAD><BODY><P>ah, well in that case it sounds like the VPN isnt connecting the session with its own group policy.</P><P></P><P>FWIW this doc (<A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/ad.pdf" target="_blank">http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/ad.pdf</A>) says the ASA supports the vpn 3000 attributes... so you should be able to set it using the CVPN-XXXX VSAs defined in ACS <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P></BODY></HTML> Wed, 15 Jul 2009 12:57:32 GMT darpotter 2009-07-15T12:57:32Z https://community.cisco.com/t5/network-access-control/setting-remote-access-vpn-idle-timeout-via-secure-acs-server/m-p/1340761#M373277 <P>I am using Secure ACS 4.2 Radius to authenticate ipsec vpn clients. There are two different groups of users with different downloadable ACLs and rights. I would like to set the vpn-idle-timeout to different values for each group. I have tried using the IETF Radius attribute setting but it does not work. Can I do this via Secure ACS? If so, how? </P> Sun, 10 Mar 2019 23:35:36 GMT https://community.cisco.com/t5/network-access-control/setting-remote-access-vpn-idle-timeout-via-secure-acs-server/m-p/1340761#M373277 laurabriscoe 2019-03-10T23:35:36Z https://community.cisco.com/t5/network-access-control/setting-remote-access-vpn-idle-timeout-via-secure-acs-server/m-p/1340762#M373278 <HTML><HEAD></HEAD><BODY><P>The RADIUS Idle-Timeout attribute probably should work with Cisco VPN gear.</P><P></P><P>The 3000 range of concentrators have a VSA called "CVPN3000-Authenticated-User-Idle-</P><P>Timeout" that might work depending on your vpn server type.</P><P></P><P>Otherwise, talk to the vendor and find out if they support vendor specific attributes to set the idle timeout.</P></BODY></HTML> Wed, 15 Jul 2009 08:43:33 GMT https://community.cisco.com/t5/network-access-control/setting-remote-access-vpn-idle-timeout-via-secure-acs-server/m-p/1340762#M373278 darpotter 2009-07-15T08:43:33Z https://community.cisco.com/t5/network-access-control/setting-remote-access-vpn-idle-timeout-via-secure-acs-server/m-p/1340763#M373279 <HTML><HEAD></HEAD><BODY><P>Thanks for the response. I am actually using it with an ASA 5510 for vpn access so you'd think it would work. For some reason even if I have the vpn-idle-timeout set for the group policy on the ASA it is not timing out. I am running 8.0.(4)16 on the ASA.</P></BODY></HTML> Wed, 15 Jul 2009 12:05:22 GMT https://community.cisco.com/t5/network-access-control/setting-remote-access-vpn-idle-timeout-via-secure-acs-server/m-p/1340763#M373279 laurabriscoe 2009-07-15T12:05:22Z https://community.cisco.com/t5/network-access-control/setting-remote-access-vpn-idle-timeout-via-secure-acs-server/m-p/1340764#M373280 <HTML><HEAD></HEAD><BODY><P>ah, well in that case it sounds like the VPN isnt connecting the session with its own group policy.</P><P></P><P>FWIW this doc (<A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/ad.pdf" target="_blank">http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/ad.pdf</A>) says the ASA supports the vpn 3000 attributes... so you should be able to set it using the CVPN-XXXX VSAs defined in ACS <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P></BODY></HTML> Wed, 15 Jul 2009 12:57:32 GMT https://community.cisco.com/t5/network-access-control/setting-remote-access-vpn-idle-timeout-via-secure-acs-server/m-p/1340764#M373280 darpotter 2009-07-15T12:57:32Z https://community.cisco.com/t5/network-access-control/setting-remote-access-vpn-idle-timeout-via-secure-acs-server/m-p/1340765#M373281 <HTML><HEAD></HEAD><BODY><P>Yes you are right and I have those attributes on and showing in my group settings. I have the [3076\050] Authenticated-User-Idle-Timeout checked and have set the value to both 1800 (in case was seconds) and 30 for minutes but it never times the session out if idle.</P><P></P><P>Maybe I'm using the wrong stuff - my goal is to have a user disconnected from the vpn session if they are idle for 30 minutes. I know they are connecting with that group's settings because I am also using downloadable ACL's from the ACS to control their access and that is working.</P></BODY></HTML> Wed, 15 Jul 2009 14:42:21 GMT https://community.cisco.com/t5/network-access-control/setting-remote-access-vpn-idle-timeout-via-secure-acs-server/m-p/1340765#M373281 laurabriscoe 2009-07-15T14:42:21Z https://community.cisco.com/t5/network-access-control/setting-remote-access-vpn-idle-timeout-via-secure-acs-server/m-p/1340766#M373282 <HTML><HEAD></HEAD><BODY><P>Look like you need to open a TAC case against the ASA server.</P><P></P><P>Its one thing to list a load of old vpn 3K VSAs and say they are "supported" by the PIX/ASA.. that just means it wont barf if you send them. Its another thing to say that they are "fully supported".</P><P></P><P>Clearly the idle timeout VSA is not fully supported.</P></BODY></HTML> Thu, 16 Jul 2009 07:37:39 GMT https://community.cisco.com/t5/network-access-control/setting-remote-access-vpn-idle-timeout-via-secure-acs-server/m-p/1340766#M373282 darpotter 2009-07-16T07:37:39Z