Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
655
Views
3
Helpful
5
Replies

Limiting Wireless user sessions through ACS 4.2

Sohail Muhammad
Level 1
Level 1

‎06-17-2013 02:54 AM - edited ‎03-10-2019 08:33 PM

Hi,

I have deployed a Wireless controller Cisco 5508 with APs for wireless connectivity at my customer's office. The users are authenticated using PEAP through ACS which is integrated with Microsoft Active Directory. The requirement is that each user should be able to connect to only one device using single AD user ID, except for executive and admin users who can connect to unlimited devices using single ID. My customer is using Cisco ACS 4.2 and for active Directory Micrsoft Server 2003.

I have tried to limit the users sessions by changing the value at particular user's Max Session, and it restricts the user, but when the user disconnects, the session is not removed and the same user is not able to re-connect or connect anywhere else. ACS takes long time to show the session "Stop" in RADIUS accounting, but even after "Stop" status, the user is not able to connect again untill the restriction is removed.

I am looking for the solution for this.

Thanks,

Sohail

Labels:
0 Helpful
5 Replies 5

Jatin Katyal
Cisco Employee
Cisco Employee

‎06-17-2013 03:49 AM

It seems you have allowed one session for a user. Where did you apply this restriction (user or group)? can you attach a screen shot of the same in your next reply. What do you see in ACS failed authentication when you connect after radius stop packet of the previous user?

Jatin Katyal
- Do rate helpful posts -

~Jatin
0 Helpful

Sohail Muhammad
Level 1
Level 1
In response to Jatin Katyal

‎06-17-2013 05:03 AM

Jatin,

Screenshot is currently not possible for me to send but I can tell you that it was configured on:

User Setup -> Selecting a specific User -> Max sessions -> Here I put 1 to have single user session for that specific user. But even after disconnecting the user, the Stop packet is shown on RADIUS accounting very late and also it doesn't allow the same user to connect again with the Failure message"ACS User exceeded max sessions".

Sohail

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to Sohail Muhammad

‎06-17-2013 05:54 AM

The "user exceeded max sessions" is related to Radius Accounting log/information, How much you delay you see between logoff and stop packet. When you actually track the user start and stop packet, make sure you also look for session-id because session-id should be same for start-stop packet. I've seen this issue where multiple requests were coming from the WLC when a single connection/user attempted.

btw, what patch are you running on ACS?

Jatin Katyal
- Do rate helpful posts -

~Jatin
0 Helpful

Sohail Muhammad
Level 1
Level 1
In response to Jatin Katyal

‎06-17-2013 06:37 AM

Jatin,

The delay which I see is more then 10 minutes and often, the Stop packet is not shown and I had to login with another user ID to KILL the session (making forcefully Stop). And the session-id is the same as I am testing with a Test ID which is not been used anywhere else.

The patch running on ACS is 4.2.1.15.2 Wed 04/21/2010 18:19:56.86.

Sohail

0 Helpful

Ravi Singh
Level 7
Level 7

‎06-17-2013 07:28 PM

Hello Sohail,

you can also do this with the help of WLC itself. We can use max-login-ignore-identity-response   This command limits the number of devices that can be connected to the   controller with the same username. For more detail you can see the below URL.

http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_user_accts.html



Customers Also Viewed These Support Documents