aaa network access limit user session

Unanswered Question
Jan 21st, 2009

Hi, I'd like to limit a user to one authenticated session in aaa network access, with ASA and ACS.

Is tacacs+ accounting necessary ?

thank you in advance


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
darpotter Wed, 01/21/2009 - 11:45


Yes. If you want to use the group or user max sessions limits in ACS you need to have session accounting enabled.

ACS uses the start/stop messages to track sessions.

Accounting must also be reliable and predictable, ie

authentication then start then stop - all on the same port.

T+ is usually sound but some RADIUS implementations dont control the device port number and/or send out of sequence packets - namely wireless devices.

If you see any "NAS Port re-used" messages in the ACS logs it might mean max sessions will be unreliable.

r.spiandorello Thu, 01/22/2009 - 01:43

Hi, yes I receive tacacs+ start and stop accounting messages in ACS, but it seems they are related to single tcp sessions, not to the entire connection.

I'd like to limit the use of the same username in multiple IP at the same time.

thank you in advance


cisco24x7 Thu, 01/22/2009 - 06:06

I have never done it with Cisco ACS so I can not offer much support on this.

However, I've done it many times on Cisco Freeware TACACS+ and it is very easy.

1- in Cisco Freeware tacacs, include "max-session = 1" under either the user

profile or group file definition.

2- in the router itself, you need to enable "ip finger". This will allow the

TACACS+ server to querry the router everytime there is a new attempt to loggin.

If you already have a session to the router, TACACS+ server will see this and

reject a new session for that same user. If the login ID is different than what

is already connected to the router, it will then be accepted:


Line User Host(s) Idle Location

0 con 0 idle 11w2d

* 2 vty 0 cciesec idle 00:00:00

Interface User Mode Idle Peer Address


Now if user "cciesec" tries to login again through another session, it will

be rejected by the TACACS server:

[[email protected]-lab1 root]# finger @

Line User Host(s) Idle Location

0 con 0 idle 11w2d

2 vty 0 cciesec idle 00:04:00

* 3 vty 1 idle 00:00:00

Interface User Mode Idle Peer Address

[[email protected]-lab1 root]#

Easy right?

Richard Hamby Thu, 12/09/2010 - 16:17

One thing to note is what ACS considers a session, and what the NAS does.  ACS defines a session as the unique combination of username,NAS IP, and source TCP Port number.  So ACS will allow the same user to authenticate multiple times to the same device since all values of that triplet remains the same.  Just FYI


This Discussion