01-21-2009 08:24 AM - edited 03-10-2019 04:17 PM
Hi, I'd like to limit a user to one authenticated session in aaa network access, with ASA and ACS.
Is tacacs+ accounting necessary ?
thank you in advance
RS
01-21-2009 11:45 AM
Hi
Yes. If you want to use the group or user max sessions limits in ACS you need to have session accounting enabled.
ACS uses the start/stop messages to track sessions.
Accounting must also be reliable and predictable, ie
authentication then start then stop - all on the same port.
T+ is usually sound but some RADIUS implementations dont control the device port number and/or send out of sequence packets - namely wireless devices.
If you see any "NAS Port re-used" messages in the ACS logs it might mean max sessions will be unreliable.
01-22-2009 01:43 AM
Hi, yes I receive tacacs+ start and stop accounting messages in ACS, but it seems they are related to single tcp sessions, not to the entire connection.
I'd like to limit the use of the same username in multiple IP at the same time.
thank you in advance
RS
01-22-2009 06:06 AM
I have never done it with Cisco ACS so I can not offer much support on this.
However, I've done it many times on Cisco Freeware TACACS+ and it is very easy.
1- in Cisco Freeware tacacs, include "max-session = 1" under either the user
profile or group file definition.
2- in the router itself, you need to enable "ip finger". This will allow the
TACACS+ server to querry the router everytime there is a new attempt to loggin.
If you already have a session to the router, TACACS+ server will see this and
reject a new session for that same user. If the login ID is different than what
is already connected to the router, it will then be accepted:
C7140#who
Line User Host(s) Idle Location
0 con 0 idle 11w2d
* 2 vty 0 cciesec idle 00:00:00 192.168.15.9
Interface User Mode Idle Peer Address
C7140#
Now if user "cciesec" tries to login again through another session, it will
be rejected by the TACACS server:
[root@LinuxES-lab1 root]# finger @192.168.15.1
Line User Host(s) Idle Location
0 con 0 idle 11w2d
2 vty 0 cciesec idle 00:04:00 192.168.15.9
* 3 vty 1 idle 00:00:00 192.168.128.100
Interface User Mode Idle Peer Address
[root@LinuxES-lab1 root]#
Easy right?
12-09-2010 04:17 PM
One thing to note is what ACS considers a session, and what the NAS does. ACS defines a session as the unique combination of username,NAS IP, and source TCP Port number. So ACS will allow the same user to authenticate multiple times to the same device since all values of that triplet remains the same. Just FYI
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide