09-19-2006 11:49 AM - edited 03-10-2019 02:45 PM
Hi,
I have an issue with ACS and authentication proxy. It turns out that I want users to have only one session at a given time, but the ACS is allowing more than one session per user.
Imagine the following sequence of events:
1) user A logs in ok
2) another user A tries to log in and is correctly blocked
3) user B logs in ok
4) another user B tries to log in and is correctly blocked
5) If at this point another user A tries to log in, it is not blocked
and I have the same user A account logged in twice.
At this point, I can log another user B, without problem, resulting in two accounts conected for user B, wich is not what I want.
The router config is attached.
On the ACS Server, I have the User max session set to 1, and the auth-proxy priv-lvl is as follows:
priv-lvl=15
proxyacl#1=deny tcp any host 10.10.10.1 eq telnet ! this is to prevent users from telnetting into the rtr.
proxyacl#2=permit ip any any
proxyacl#3=permit icmp any any
Any help you can provide, will be greatly appreciated.
Regards,
Eduardo
09-21-2006 03:00 AM
I assume you have full session accounting on - max sessions wont work otherwise.
Also, how are you testing this? If ACS see's a second authentication on the same port it will 1st session must have ended and clear it.
Look in the ACS accounting report and/or passed auths - do you see any "NAS Port re-used" messages
Darran
09-22-2006 08:12 AM
Thanks for your reply, Darran.
Yes, I have lines for accounting for things that I do not even plan to use, just to be on the safe side:
aaa new-model
!
!
aaa group server tacacs+ Oasis
server 10.10.10.5
!
aaa authentication login default group Oasis none
aaa authorization exec default group Oasis none
aaa authorization commands 15 default group Oasis none
aaa authorization auth-proxy default group Oasis local
aaa accounting send stop-record authentication failure
aaa accounting auth-proxy default start-stop group Oasis
aaa accounting commands 15 default start-stop group Oasis
aaa accounting network default start-stop group Oasis
aaa accounting system default start-stop group tacacs+ group Oasis
aaa accounting resource default start-stop group Oasis
aaa session-id common
ip dhcp relay information trust-all
ip dhcp excluded-address 10.10.10.1 10.10.10.10
!
ip dhcp pool Oasis_dhcp
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy
lease infinite
update arp
ip auth-proxy auth-proxy-banner http
ip auth-proxy auth-proxy-audit
ip auth-proxy name acceso http inactivity-time 60
ip admission auth-proxy-banner http
ip admission auth-proxy-audit
ip name-server xxx.xxx.xxx.xxx
interface Vlan1
description Switch Ethernet 4Ptos 10-100
ip dhcp relay information trusted
ip dhcp client update dns
ip address 10.10.10.1 255.255.255.0
ip access-group 150 in
ip auth-proxy acceso
.
.
.
!
ip http server
ip http authentication aaa
no ip http secure-server
ip nat inside source list 20 interface Dialer1 overload
!
Also, on the ACS, I have the Max sessions set to 1, but on the acs reports, I do not see any port re-used message.
I have a lab with 4 pc?s and the ACS server (Win2003, standard).
Again, thanks for your interest.
Eduardo
09-22-2006 12:55 PM
Another thing I have noticed, is that when I go to see "Connected Users" in the ACS, the users "disappear" from the ACS after a while, although the same user is still connected in the router (as seen with the "sh ip auth-proxy cache")
Thanks
Eduardo
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide