Administrative sessions on ACS

Unanswered Question

I have an ACS that handles authentication/authorization for our VPN Concentrator. I noticed more and more that I have to reboot the ACS frequently because it would stop authenticating folks at some point. When I try to login it kicks back with an error indicating maxed administrative sessions. ACS should time out sessions if they aren't being used, correct?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
owillins Tue, 02/17/2009 - 11:54
User Badges:
  • Silver, 250 points or more

You are hitting bug CSCse26754. ACS/ACSE Administration may do limited session validation. After successful login, ACS does only limited session validation by matching the IP alone. This is due to a weakness in the default configuration of ACS.

Just so I'm understanding that bug, you're using port 2002 to login but after a successful login you then use a random port from 1024 and up to 6xxxx. Thereafter, ACS will only look at port and not the IP address. I'm not sure how that relates to my experience of ACS not being able to authenticate users through to Novell or Active Directory after a period of time? It will say authentication failed if you telnet to a device that does AAA or login through VPN client off a concentrator who is talking to ACS for AAA.


This Discussion