We have over 1000 APs at 40 locations, The APs are controlled by 4 WiSM2 blades.  We are using ACS 5.5x as our radius source and it is joined to AD to take advantage of AD groups.

What we are finding is that when users are prompted to change their passwords, they do so on their workstation, but forget to change their credentials on their wireless device.  With client exclusion, that helps, but if they have 2 or 3 personal devices, they exceed their failed login attempt count on their AD account and they get locked.  What we would like to do is somehow limit them so that they can only use their AD account on one or two devices and if they try a 3rd, the wireless system would automatically deny them and not even try to authenticate, thus stopping more login attempts and not locking accounts.

Have you tried the "Max User Session" setting in ACS?

http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-3/user/guide/acsuserguide/access_policies.html#77244

Thank you for rating helpful posts!

But, that appears to only apply to local users on ACS.  These users are Active Directory and ACS just relays the authentication requests to AD.  Would this still work?

Yes, you are correct about this feature only applying to internal groups/users. However, you can map the AD based groups to Internal ACS groups and that way this feature would apply to the AD based groups too :)

Check out the user guide and let us know if you have issues. 

Thank you for rating helpful posts!

ok, I need to make sure that I understand this correctly.  First, I need to active the Group mapping policy under the Access Service.

Then, in the Group Mapping policy, I would need to Select Rule based selection and create a rule that will account for compound conditions.  It looks like this is required because the compound conditions will allow me to use other sources besides the local ACS groups.

It looks like I need to select a Dictionary (in this case it would be AD) and then an attribute (in this case the name of the AD group).  That would be the condition set.  Then the result would be mapping it to some local wifi group on ACS.

It looks like the next part of this would be to use the Max Session user settings to limited the sessions.

Is my understanding accurate?  It sounds very promising!

You got it boss! :) Give it a try and let me/us know if you have any issues. 

Thank you for rating helpful posts!

OK.  I completed the group mapping policy.  I am assuming it's working because I do see a hit count on the rule I created to map an AD group to an internal ACS group.

Then I went to the Max Session Group Setting and set the max sessions for the group as a whole as unlimited and the Max Session for User in Group to two, because I only want a users to connect two devices.

So, I went ahead and connect 2 devices and when I connected the 3rd device, I expected not to be able to connect with some kind of error to show up in the ACS logs... the 3rd devices connected.  So, I am wondering if I am misunderstanding the Max Sessions settings.

It has been a while since I have worked with ACS but what you have outlined sounds good. I am away from home now and can't test this in my lab so I would advise you reach out to TAC or double check your configs. 

Hi Neno,

is this feature also works onTACACS+ ? 
i had some trouble on this feature too.