xAuth with Active Directory questions

Unanswered Question
Sep 18th, 2007

I am configuring ASA to be IPSec gateway for remote access. I use xAuth with Active Directory. As I tested, two remote clients could use the same username and password for authentication. Would it be possible to disallow this behavior?

The other question is can I configure the maximum number of failed attempts? Now, it is 3.

Please advice.

Many thanks,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
schostag Tue, 09/18/2007 - 11:57

On ASA 7.2(2), using ASDM 5.2, you can configure the number of simultaneous logins under Configuration -> VPN -> General -> Group Policy, select your group policy. It's a line item titled Simultaneous Logins.

nitass Tue, 09/18/2007 - 16:16

I have tried but it seemed not to work. I am doubted what it exactly means. Would it be a maximum number of concurrent users for specific group policy (I thought because it applies on the group policy level)? Or Would it be a maximum number of concurrent users who log in with the same username and password?

Please advice.

Many thanks,


schostag Wed, 09/19/2007 - 05:57

It applies to all users connecting to that Group Policy. I've tried it with my configuration and it works.

I'm not sure how to lock down 1 user at at time, regardless of policy they connect to.

nitass Wed, 09/19/2007 - 06:06

Hi Schostaq,

Thanks for your reply. I'm not sure what you meant. What's the simultaneous logins in group policy level that you've configured? Is it the maximum number of all concurrent users for that group policy? Or is it the maximum number of concurrent users which use the exactly same username and password? Could you please explain me a little bit more?

Many thanks,


schostag Wed, 09/19/2007 - 06:29

The simultaneous logins affects only that group policy. For instance on our DfltGrpPolicy users connect using the SSL VPN client. They can login three times simultaneously, the fourth time they will get a message stating they can't login.

If they connect to our ip-sec-tunnel policy, using the Cisco IPSec client, the 3 simultaneous logins for the DfltGrpPolicy don't apply, and they can login.

I don't know if there is a way to limit the number of users on the entire ASA, regardless of which group policy they connect to.


This Discussion