Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
989
Views
0
Helpful
2
Replies

EZVPN single tunnel per user account

Go to solution
Roberto Rafael Lopez Marquez
Level 1
Level 1

‎01-07-2011 12:07 PM

Hello Experts,

I have configured a router as a EZVPN server and configured and authenticate several clients (cisco vpn client and IOS EZVPN) by means of a AAA tacacs server. Everything fine except that with only one username/password I can bring two or more EZVPN tunnels. I wonder if there is a way to limit  the amount of tunnels that a single credential can open, so that every user can just establish one EZVPN tunnel and in case that another user tries to use the credentials of someone else already connected then the tunnel session be denied.

Best Regards,

Roberto López.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Gustavo Medina
Cisco Employee
Cisco Employee

‎01-07-2011 01:47 PM

Hello Roberto,

You could set the "max-logins" setting to "1" under the "crypto isakmp client configuration group" attributes that you are using.

I looked the usage of this command for you on the command lookup tool:

max-logins

To limit the number of simultaneous logins for users in a specific server group, use the max-logins command in global configuration mode. To remove the number of connections that were set, use the no form of this command.

max-logins number-of-users

no max-logins number-of-users

The crypto isakmp client configuration group command must be configured before this command can be configured.

This command makes it possible to mimic the functionality provided by  some RADIUS servers for limiting the number of simultaneous logins for  users in that group.The max-users and max-logins keywords can be enabled together or individually to control the usage of resources by any groups or individuals.

The following example shows that the maximum number of logins for users in server group "cisco" has been set to 8:

Router (config)# crypto isakmp client configuration group cisco

Router (config)# max-logins 8

The following shows the RADIUS attribute-value (AV) pairs for the maximum users and maximum logins parameters:

ipsec:max-users=1000

ipsec:max-logins=1



Hope this helps...

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Gustavo Medina
Cisco Employee
Cisco Employee

‎01-07-2011 01:47 PM

Hello Roberto,

You could set the "max-logins" setting to "1" under the "crypto isakmp client configuration group" attributes that you are using.

I looked the usage of this command for you on the command lookup tool:

max-logins

To limit the number of simultaneous logins for users in a specific server group, use the max-logins command in global configuration mode. To remove the number of connections that were set, use the no form of this command.

max-logins number-of-users

no max-logins number-of-users

The crypto isakmp client configuration group command must be configured before this command can be configured.

This command makes it possible to mimic the functionality provided by  some RADIUS servers for limiting the number of simultaneous logins for  users in that group.The max-users and max-logins keywords can be enabled together or individually to control the usage of resources by any groups or individuals.

The following example shows that the maximum number of logins for users in server group "cisco" has been set to 8:

Router (config)# crypto isakmp client configuration group cisco

Router (config)# max-logins 8

The following shows the RADIUS attribute-value (AV) pairs for the maximum users and maximum logins parameters:

ipsec:max-users=1000

ipsec:max-logins=1



Hope this helps...
0 Helpful

Go to solution
Roberto Rafael Lopez Marquez
Level 1
Level 1
In response to Gustavo Medina

‎01-07-2011 03:22 PM

Hello Jose,

Thanks, it works fine. Actually I am using TACACAS+ but the implementation is very similar to the RADIUS example you posted, just have to declare max-logins=1 under the ike ipsec service.

Best Regards,

Roberto.

0 Helpful
Customers Also Viewed These Support Documents