Solved: login limit through Cisco ACS 5.0 - Page 2

Avijit Chowdhury · ‎06-02-2013

Hi all ,

Few days ago in my wireless infrastrucer i deploy Cisco ACS 5.0 with Active directory integration. My wireless users are login through web authentication process. The authentication process is passed by AD & its working fine. But i want to do a work on my ACS 5.0 that a user cannot login simultaneously multiple device at a time.

Jatin Katyal · ‎06-03-2013

Hi Avijit,

If you go through the below listed document, you will see that how we can configure priority for management user to authenticate against a specific method.

From this page you can specify the order of authentication. Here is an example.

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080782507.shtml#wlcmanagement

If LOCAL is selected as second priority, then the user will be authenticated using this method only if the method defined as the first priority (RADIUS/ TACACS) is unreachable.

Since in your case radius server is up and running so it will always check the radius database and get failed with an error message " user not found "because root user is not defined on the radius server. It act as a fallback that means in case your radius server is down in that case you should not be locked out and can use the root user for a back door entry.

Jatin Katyal
- Do rate helpful posts -

~Jatin

Avijit Chowdhury · ‎06-03-2013

I agree with your comments ....... so what will happen when radius is UP i am not able to write some thing ... after disconnect then i can write......... so your suggestion is first i have authenticate local then radius right............ so due to this process is that login process is going lengthy for AD users ?

Jatin Katyal · ‎06-03-2013

Keep the stuff as it is. Just give read-write privileges to radius account so that you can use that account for making changes.

All you need to do set radius-ietf attribute

Service-type = Administrative --- for Full access

Service-type= Nas-Prompt ----- Read only access.

Hope it helps.

Jatin Katyal
- Do rate helpful posts -

~Jatin

Avijit Chowdhury · ‎06-03-2013

Well it works but can you tell me if i want to give the administrative facility to one specific user what should i do ?

Jatin Katyal · ‎06-03-2013

In acs under access-policies click on the radius policy ...click on customize tab at the bottom right corner ...select the attribute username ...click ok. edit the authorization rule ....use the username attribute equals to save changes.

Enjoy :-)

Jatin
*Do rate helpful posts*

Sent from Cisco Technical Support Android App

~Jatin

Jatin Katyal · ‎06-03-2013

did you attempt to configure that? Hope it clears to you. I'm adding a screen shot for the same. You may see a different user interface as you've ACS 5.0. Let me know if there is any option missing.

Jatin Katyal
- Do rate helpful posts -

~Jatin

Jatin Katyal · ‎06-04-2013

Hi Avijit,

Were you able to make changes on WLC GUI after setting up the account as suggested above?

Jatin Katyal
- Do rate helpful posts -

~Jatin