concurrent Authentication

hclisschennai · ‎04-10-2009

Hi

I have wireless LAN Controller. I have enabled WPA. I have AAA (CISCO ACS) Server for authentication.

I have individual username passwords for wireless clients. But the same username password is been used simultaneously by two different users.

I want to restrict such a way that the username password is access by one person at a time.

Can you please guide me how to achieve this

R.B.Kumar

paulpoon · ‎04-10-2009

In your WLC. Go to Security, AAA, user login policies. You can set the maximum number of concurrent logins for a single user name there.

hclisschennai · ‎04-10-2009

Hi Paul,

Thanks for your valuable input. I am using EAP authentication where Cisco ACS server is configured with username and password. Dont i have to do anything on ACS server side. Whether changing the parameters you mentioned is enough?

When a user login to the network by EAP, no other user should be allowed to use this same username and password. This is the prime requirement.

Thanks in advance

RBK

paulpoon · ‎04-10-2009

I believe thats all you need. But if not, in ACS, go to group setup, select the group that you are using for wireless clients. Click edit settings, scroll down to max sessions.

Max Sessions

Set the maximum number of sessions available to groups and users.

Sessions available to group. Sets the maximum number of simultaneous connections for the entire group. A session is any type of connection supported by RADIUS or TACACS+; for example, PPP, Telnet, ARAP, or IPX/SLIP. The options are as follows:

Unlimited. Select this option to allow this group an unlimited number of simultaneous sessions. This effectively disables Max Sessions.

n. Select this option and type the maximum number of simultaneous sessions to allow this group.

Sessions available to users of this group. Sets the maximum number of simultaneous connections for each user in this group. The options are as follows:

Unlimited. Select this option to allow this group an unlimited number of simultaneous sessions. This effectively disables Max Sessions.

n. Type the maximum number of simultaneous sessions to allow this group.

As an example, Sessions available to group is set to 10 and sessions available to users of this group is set to 2. If each user is using the maximum 2 simultaneous sessions, no more than 5 users can log in.

You can also set per-user Max Sessions to be applied to users within the group. This limits the number of simultaneous connections a user can establish.

hclisschennai · ‎04-10-2009

Hi Paul,

I appreciate your detailed explanation.

I will do with AAA (ACS server) itself. But along with this do i have to do the setting changes you suggested in the earlier post.

What is the difference between do this thing in WLC (which you refered in first post) and in AAA Server

RBK

Leo Laohoo · ‎04-10-2009

If you do this in the WLC, it will mean ALL USERS including Management users. If you do this option on the ACS, then Management users are optional.

PatrickKnee · ‎07-16-2009

Not to drudge up an old post, but I have enabled this exact setting on our WLC (running ver 5.2.178), and have set the limit to 2, but I am currently logged in at the same time, with the same account on 3 devices. Anybody know of any reason this could be happening?

bbxie · ‎07-19-2009

try this at WLC:

config advanced eap max-login-ignore-identity-response disable

PatrickKnee · ‎07-27-2009

ran that command on each of our WLC's, same effect (meaning, I can still logon with more devices than I set to be allowed)

concurrent Authentication

事例 : Authentication attempt timed out について

3.3 MAC Authentication Bypass for Wired and Wireless Access

[事例] C1111 で authentication timer inactivity コマンドが動作しない

AnyConnect(Windows): No valid certificates available for authentication の接続時のエラー

Mandatory Move to New Authentication for VA and ADC (Legacy Auth EoL)