07-21-2014 08:45 AM - edited 03-10-2019 09:53 PM
I have WLC (7.4) that uses 802.1x auth with our ACS (5.3)
Our ACS connects to our AD as external identity.
How can I limit the max sessions per AD users
Access Policies > Max User Session Policy > Max Session User Settings
-That would affect all my Access Policies
Access Policies > Max User Session Policy > Max Session Group settings
-That only shows internal groups and doesnt reflect my AD external group.
For exemple certain AD users can have more sessions there other AD users
Can that be done?
Dash
07-21-2014 01:39 PM
Hi Dash-
Unfortunately there aren't any other options in restricting sessions for users in ACS. I had a similar request form a customer for ISE and ISE doesn't even support max sessions. I had requested that feature to be implemented so now we wait and see :)
Thank you for rating helpful posts!
07-21-2014 04:23 PM
Dash,
You can leverage the group mapping feature where members of a certain AD group are mapped to a local group in ACS with the max sessions defined.
http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-3/user/guide/acsuserguide/access_policies.html#pgfId-1162308
Thanks,
Tarik Admani
01-12-2017 09:39 AM
Okay here is how yo do it.
In the "Access Services", you select & edit the service you want to use & check mark the group Mapping option in it.
Then you will see a "Group Mapping" option beneath the access policy that you just edited in the left panel of the ACS.
Now Select the "Group Mapping" option & select "Rule based result Selection" from the top. Now from the bottom right click "customize" & add in "AD:External Group"
Now you can specify conditions on for which AD Group you can MAP the Internal group & its related conditions i.e Max Session limitation.
Hope this helps.
01-12-2017 09:43 AM
Thanks Ahmed ! Worked like a charm !
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: