cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
488
Views
0
Helpful
1
Replies

How to configure Cisco ACS 4 to work with Microsoft ISA 2004

enaforhmd
Level 1
Level 1

Hi NetPro,

I have one ISA 2004 server configured with Microsoft Radius Server (IAS).

ISA 2004 acts as a Radius Client, and IAS is the Radius serveur.

Every user will be authenticated on the IAS server before getting access to the internet.

I am discovering functions of Cisco ACS 4 and I plan to install it (replace my IAS).

Can you indicate to me the procedure that permit to me the following :

- Cisco ACS 4 will be my Radius server and ISA 2004 the Radius client.

- A group of users (from my Active Directory), must be authenticated on the ACS server before having access to Internet.

- Every user of this group, can open one session (from one PC only) at any instant. (One user can't have multiple Internet access with the same login from different PCs)

- Controlling th time users spends on the Internet by implementing Quotas

I Think that it can be done by Cisco ACS but I don't know how ?

Please help me .

Thank you in advance.

1 Reply 1

darpotter
Level 5
Level 5

Should all be possible. Inside the ACS help docs you need to look for

"Max Sessions" to control how many concurrent sessions a user may have.

"Quotas" are also available to limit the number of sessions during any period.

There also time-of-day/day-of-week restrictions too.

These are advanced features configured in group setup - however you will need to enable them under interface config first.

Max session/quota's require that RADIUS accounting is enabled. There are a whole load of caveats with max sessions that revolve around the NAS-Port attribute.

Basically ACS tracks session by NAS-IP & NAS-Port - if the RADIUS client doesnt include these in every packet ACS can struggle to track the sessions correctly. The RADIUS client should also support the Class attribute (ie echo the Class from the access-accept back in all accounting packets)

Provided ISA 2004 can do that you should be fine.

If you run CSRadius -z -p from the command line you'll get an attr-by-attr dump of inbound & outbound packets which is very useful.

Darran