Wireless clients limit authentications by AD username

neilcouston · ‎11-01-2013

We are in the early stages of implementing a BYOD wireless network but want to limit the number of devices an individual can authenticate using the ACS. Currently we are using MAC address filtering on a limited scale (On the WLC) to give access to a few select users however this is not a scaleable solution.

The devices that are authenticating are a mixture Apple, Android and Windows and we are using an AD account and group membership to authenticate the user however if we remove the MAC address filtering each user can authenticate multple devices which unfortunatly some of our user take advantage of.

We have looked at implementing the Max user sessions on the ACS however this does not seem to work for out scenario. Currently the ACS is configured

Service selection rule : match Radius -ANY- RADIUS-IETF:Called-Station-ID contains BYOD 802.1X_BYOD

802.1X_BYOD Authorisation : (System:EapTunnel match PEAP And AD-AD1:ExternalGroups contains any TestDomain/Users/BYOD TEST)

Is there a way of implementing this as the devices are only authenticating against AD so limiting the logon's there has no impact as the devices are not actually logging on to the domain.

Any suggestions or advice would be greatly appreciated.

Charlie Moreton · ‎11-01-2013

If you're using a Cisco ACS, then you can implement a User Login Policy on the WLC to limit Max Concurrent Logins per username.

Log in to the WLC, select Security > TACACS+ > User Login Policies

Of course, the other entries (LDAP, AP Policies) need to be configured as well. I have attached a screenshot: