11-04-2009 10:10 AM - edited 03-10-2019 04:46 PM
Can I limit the number that can use a specific user entry to 1 at a time in acs
11-04-2009 10:14 AM
Hi, do you mean the number of times that user can login? If so, that would depend on setting up accounting on the AAA Client that the User is logging into...
Having accounting enabled would allow ACS to know how many times the user has logged in, and therefore, you can limit the number of connections to only one.
User Setup, look for: Max Sessions
11-05-2009 01:37 AM
Before using the Max Sessions feature check your accounting start/stops messages first.
For the feature to work both start & stop packets must have the NAS-Port attribute AND it must contain the SAME UNIQUE value in the both start/stop packets that matches the value from the authentication request.
You'd be surprised how many devices dont do this - particularly VPN and Wireless that dont have physical ports.
If these conditions aren't met max sessions will not work and you end up with users not being able to connect.
11-05-2009 03:32 AM
thanks a bunch. I take it then that since this is wireless it can't be done.
11-06-2009 03:06 AM
I wouldnt say it cant be done... but you have to look and make sure the NAS-Port attribute looked sensible. Going back a few years I know Aironet, for example, was quite tricky to make work with max sessions.
The other thing is that because wifi comes and goes its hard for the AP to know when the session has finished. Max sessions was implemented with Dial in mind (yes thats how old it is!!!) ie real physical ports.
With wifi you could look at the number of mac ids in user by a user at any one time as a way to control concurrent sessions.
No not impossible, but probably unlikely to work reliably.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide