Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2388
Views
0
Helpful
4
Replies

Cisco Secure Multiple Authentication

kefah
Level 1
Level 1

‎07-10-2001 05:10 AM - edited ‎02-21-2020 09:57 AM

Dear Tech,

We are having Cisco Secure 2.6 and it is using Windows NT Database, We have Pix firewall 5.1, Cisco Secure is configured for single session in group settings that are mapped to Windows NT Groups, initially it worked fine and denying multi sessions, after one week it is allowing anyone to loggin from mutiple machine,s we want Cisco Secure not to allow multiple sessions, please give us the right direction.

Thanks

Labels:
0 Helpful
4 Replies 4

s-doyle
Level 3
Level 3

‎07-18-2001 12:51 PM

If you’re sure it’s configured for single sessions and allowing multiple, it sounds like a bug. I haven’t seen that behavior though so you should run it by Cisco’s techs.

0 Helpful

robert.hyde
Level 1
Level 1

‎08-17-2001 09:26 AM

CiscoSecure ACS 2.6 has the ability to log SUCCESSFUL authentications, I would recommend turning this on and looking at the results. This should provide some good insight. Chances are that these users are ending up in the wrong group. Also, keep in mind that if your "unknown user policy" is set to go to Windows NT, if a user first authenticates as "george", and next authenticates as "domain1\george", ACS will see this as two different users, create two different user profiles, and possibly drop them into different groups depending on your mappings.

Good luck!

0 Helpful

kefah
Level 1
Level 1
In response to robert.hyde

‎08-22-2001 06:20 AM

Well cisco has confirmed it is HTTP behavior, and it is not possible to control http traffic on multisession feature in ACS 2.6, below is the cisco comments.

-------------

Unfortunately, because of the way that HTTP works, it is not possible to use the Max sessions feature the way you might expect. In a Telnet or FTP

connection, the PIX sends a 'start' accounting record to the CSNT server, and this tells it that this user has started a session. If the user attempts

another session, then because the CSNT server has not received a 'stop' record for the previous session, it will not allow another session if the

session limit is set to 1.

However, in the case of HTTP, the session is very short-lived (typically 1 second). You can see the short duration of the session in the accounting log

Since the CSNT server receives the 'stop' record almost immediately after the 'Start' record, it now counts this user as not connected (which is technically correct since he no longer has a TCP

session), even though he may still be looking at a web page. So, this may give the impression that the user is being allowed many more session than CSNT is configured to allow, but in reality this is not the case.

0 Helpful

l-wilkes
Level 1
Level 1
In response to kefah

‎12-22-2001 05:27 PM

Hello:

I'm having the same problems when trying to control the HTTP traffic using ver 2.6. The same thing happens with version 3.0???

Luis Wilkes

lm_wilkes@hotmail.com

0 Helpful
Customers Also Viewed These Support Documents