Solved: Re: ISE 2.4 TACACS Users Group restrictions

sondevi · ‎07-25-2019

Hi Team,

For specific requirement, needs to configure the User access count restriction for Cisco EPNM GUI access. Cisco EPNM is configured for TACACS with Cisco ISE 2.4 and customer wants to restrict the number of users in a user group have access on EPNM for a specific time.

I went through the below document and tried to configure the same solution for TACACS but it didnt't work:

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/204463-Configure-Maximum-Concurrent-User-Sessio.html

Test I performed:

for TACACS access, configured the EPNM users into a group and limit the particular group with below configuration:

Administration > System>Settings > Max Sessions > Group: 1

and also tried:

Navigate to Administration > System > Settings > Max Sessions > Group > Max session for users in Group : 1

And tried to access the EPNM GUI with 2 different users at same time, it is working with no fail.

Can someone please point out if i missed something into configuration.

It is Customer live network so only the option mentioned into Document, i din't try is the: Administration > System > Settings > Max Sessions, that is by default to set "unlimited".

Doubts are:

Above is the mandatory configuration to change from unlimited?

As mentioned into document, does it work for TACACS also, meets the requirement which CU have right now(i tired with Router also for SSH connection, doesn't work).

hslai · ‎07-26-2019

This ISE feature requires accounting start/stop. Please engage Cisco TAC services to troubleshoot, if accounting already enabled and working properly.

Usually for UI control, it's best for the application itself to provide such.

View solution in original post

hslai · ‎07-26-2019

This ISE feature requires accounting start/stop. Please engage Cisco TAC services to troubleshoot, if accounting already enabled and working properly.

Usually for UI control, it's best for the application itself to provide such.

sondevi · ‎07-28-2019

Hi Thanks for reply.

My exact query is, does this functionality works with ISE GUI access only or for TACACS devices/users also? If yes, then EPNNM server doesn't have accounting features to use. only authentication and a pre-defined template for authorization is configured on ISE end. so in that case, this function won't work?

Surendra · ‎07-28-2019

Yes. It will not. The reason being that ISE will not be aware of the status of the session if not for accounting as there is no such thing as a logout request.

sondevi · ‎07-28-2019

OKAY, I tried same solution with cisco IOS router, doesn’t seems to work. Accounting was working fine.

sondevi · ‎07-28-2019

OKAY, I tried same solution with cisco IOS router, doesn’t seems to work. Accounting was working fine.

hslai · ‎07-28-2019

Correct. Accounting is required for the max sessions to work.

sondevi · ‎07-28-2019

Okay, I tried same solution with cisco IOS router, doesn’t seems to work. Accounting was working fine.

hslai · ‎07-28-2019

I think it might not work for T+ if command accounting also enabled. Please engage our ESC team if you need help decipher the debug logs.

murat001 · ‎06-05-2020

Hi

is there any update for this issue ? i as well want to restrict sessions when authenticate network devices with TACACS

Thanks