cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

492
Views
5
Helpful
9
Replies
Highlighted
Cisco Employee

ISE 2.4 TACACS Users Group restrictions

Hi Team,

 

For specific requirement, needs to configure the User access count restriction for Cisco EPNM GUI access. Cisco EPNM is configured for TACACS with Cisco ISE 2.4 and customer wants to restrict the number of users in a user group have access on EPNM for a specific time.

I went through the below document and tried to configure the same solution for TACACS but it didnt't work:

 

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/204463-Configure-Maximum-Concurrent-User-Sessio.html

 

Test I performed:

for TACACS access, configured the EPNM users into a group and limit the particular group with below configuration:

Administration > System>Settings > Max Sessions > Group: 1

and also tried:

Navigate to Administration > System > Settings > Max Sessions > Group > Max session for users in Group : 1

 

And tried to access the EPNM GUI with 2 different users at same time, it is working with no fail. 

 

Can someone please point out if i missed something into configuration.

 

It is Customer live network so only the option mentioned into Document, i din't try is the:  Administration > System > Settings > Max Sessions, that is by default to set "unlimited".

 

Doubts are:

Above is the mandatory configuration to change from unlimited?

As mentioned into document, does it work for TACACS also, meets the requirement which CU have right now(i tired with Router also for SSH connection, doesn't work).

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: ISE 2.4 TACACS Users Group restrictions

This ISE feature requires accounting start/stop. Please engage Cisco TAC services to troubleshoot, if accounting already enabled and working properly.

Usually for UI control, it's best for the application itself to provide such.

View solution in original post

9 REPLIES 9
Highlighted
Cisco Employee

Re: ISE 2.4 TACACS Users Group restrictions

This ISE feature requires accounting start/stop. Please engage Cisco TAC services to troubleshoot, if accounting already enabled and working properly.

Usually for UI control, it's best for the application itself to provide such.

View solution in original post

Highlighted
Cisco Employee

Re: ISE 2.4 TACACS Users Group restrictions

Hi Thanks for reply.

My exact query is, does this functionality works with ISE GUI access only or for TACACS devices/users also? If yes, then EPNNM server doesn't have accounting features to use. only authentication and a pre-defined template for authorization is configured on ISE end. so in that case, this function won't work?

Highlighted
Cisco Employee

Re: ISE 2.4 TACACS Users Group restrictions

Yes. It will not. The reason being that ISE will not be aware of the status of the session if not for accounting as there is no such thing as a logout request.
Highlighted
Cisco Employee

Re: ISE 2.4 TACACS Users Group restrictions

OKAY, I tried same solution with cisco IOS router, doesn’t seems to work. Accounting was working fine.

Highlighted
Cisco Employee

Re: ISE 2.4 TACACS Users Group restrictions

OKAY, I tried same solution with cisco IOS router, doesn’t seems to work. Accounting was working fine.
Highlighted
Cisco Employee

Re: ISE 2.4 TACACS Users Group restrictions

Correct. Accounting is required for the max sessions to work.

Highlighted
Cisco Employee

Re: ISE 2.4 TACACS Users Group restrictions

Okay, I tried same solution with cisco IOS router, doesn’t seems to work. Accounting was working fine.

Highlighted
Cisco Employee

Re: ISE 2.4 TACACS Users Group restrictions

I think it might not work for T+ if command accounting also enabled. Please engage our ESC team if you need help decipher the debug logs.

Highlighted
Enthusiast

Re: ISE 2.4 TACACS Users Group restrictions

Hi 

 

is there any update for this issue ? i as well want to restrict sessions  when authenticate network devices with TACACS

 

Thanks