cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

286
Views
10
Helpful
4
Replies
whanson
Explorer

acs user database

Can I limit the number that can use a specific user entry to 1 at a time in acs

4 REPLIES 4
ansalaza
Beginner

Hi, do you mean the number of times that user can login? If so, that would depend on setting up accounting on the AAA Client that the User is logging into...

Having accounting enabled would allow ACS to know how many times the user has logged in, and therefore, you can limit the number of connections to only one.

User Setup, look for: Max Sessions

Before using the Max Sessions feature check your accounting start/stops messages first.

For the feature to work both start & stop packets must have the NAS-Port attribute AND it must contain the SAME UNIQUE value in the both start/stop packets that matches the value from the authentication request.

You'd be surprised how many devices dont do this - particularly VPN and Wireless that dont have physical ports.

If these conditions aren't met max sessions will not work and you end up with users not being able to connect.

thanks a bunch. I take it then that since this is wireless it can't be done.

I wouldnt say it cant be done... but you have to look and make sure the NAS-Port attribute looked sensible. Going back a few years I know Aironet, for example, was quite tricky to make work with max sessions.

The other thing is that because wifi comes and goes its hard for the AP to know when the session has finished. Max sessions was implemented with Dial in mind (yes thats how old it is!!!) ie real physical ports.

With wifi you could look at the number of mac ids in user by a user at any one time as a way to control concurrent sessions.

No not impossible, but probably unlikely to work reliably.

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube