Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
948
Views
0
Helpful
4
Replies

aaa network access limit user session

r.spiandorello
Level 1
Level 1

‎01-21-2009 08:24 AM - edited ‎03-10-2019 04:17 PM

Hi, I'd like to limit a user to one authenticated session in aaa network access, with ASA and ACS.

Is tacacs+ accounting necessary ?

thank you in advance

RS

Labels:
0 Helpful
4 Replies 4

darpotter
Level 5
Level 5

‎01-21-2009 11:45 AM

Hi

Yes. If you want to use the group or user max sessions limits in ACS you need to have session accounting enabled.

ACS uses the start/stop messages to track sessions.

Accounting must also be reliable and predictable, ie

authentication then start then stop - all on the same port.

T+ is usually sound but some RADIUS implementations dont control the device port number and/or send out of sequence packets - namely wireless devices.

If you see any "NAS Port re-used" messages in the ACS logs it might mean max sessions will be unreliable.

0 Helpful

r.spiandorello
Level 1
Level 1
In response to darpotter

‎01-22-2009 01:43 AM

Hi, yes I receive tacacs+ start and stop accounting messages in ACS, but it seems they are related to single tcp sessions, not to the entire connection.

I'd like to limit the use of the same username in multiple IP at the same time.

thank you in advance

RS

0 Helpful

cisco24x7
Level 6
Level 6
In response to r.spiandorello

‎01-22-2009 06:06 AM

I have never done it with Cisco ACS so I can not offer much support on this.

However, I've done it many times on Cisco Freeware TACACS+ and it is very easy.

1- in Cisco Freeware tacacs, include "max-session = 1" under either the user

profile or group file definition.

2- in the router itself, you need to enable "ip finger". This will allow the

TACACS+ server to querry the router everytime there is a new attempt to loggin.

If you already have a session to the router, TACACS+ server will see this and

reject a new session for that same user. If the login ID is different than what

is already connected to the router, it will then be accepted:

C7140#who

Line User Host(s) Idle Location

0 con 0 idle 11w2d

* 2 vty 0 cciesec idle 00:00:00 192.168.15.9

Interface User Mode Idle Peer Address

C7140#

Now if user "cciesec" tries to login again through another session, it will

be rejected by the TACACS server:

[root@LinuxES-lab1 root]# finger @192.168.15.1

Line User Host(s) Idle Location

0 con 0 idle 11w2d

2 vty 0 cciesec idle 00:04:00 192.168.15.9

* 3 vty 1 idle 00:00:00 192.168.128.100

Interface User Mode Idle Peer Address

[root@LinuxES-lab1 root]#

Easy right?

0 Helpful

Richard Hamby
Cisco Employee
Cisco Employee

‎12-09-2010 04:17 PM

One thing to note is what ACS considers a session, and what the NAS does.  ACS defines a session as the unique combination of username,NAS IP, and source TCP Port number.  So ACS will allow the same user to authenticate multiple times to the same device since all values of that triplet remains the same.  Just FYI

0 Helpful
Customers Also Viewed These Support Documents