setting remote access vpn idle timeout via Secure ACS server

Unanswered Question
Jul 14th, 2009
User Badges:

I am using Secure ACS 4.2 Radius to authenticate ipsec vpn clients. There are two different groups of users with different downloadable ACLs and rights. I would like to set the vpn-idle-timeout to different values for each group. I have tried using the IETF Radius attribute setting but it does not work. Can I do this via Secure ACS? If so, how?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
darpotter Wed, 07/15/2009 - 01:43
User Badges:
  • Silver, 250 points or more

The RADIUS Idle-Timeout attribute probably should work with Cisco VPN gear.

The 3000 range of concentrators have a VSA called "CVPN3000-Authenticated-User-Idle-

Timeout" that might work depending on your vpn server type.

Otherwise, talk to the vendor and find out if they support vendor specific attributes to set the idle timeout.

laurabriscoe Wed, 07/15/2009 - 05:05
User Badges:

Thanks for the response. I am actually using it with an ASA 5510 for vpn access so you'd think it would work. For some reason even if I have the vpn-idle-timeout set for the group policy on the ASA it is not timing out. I am running 8.0.(4)16 on the ASA.

darpotter Wed, 07/15/2009 - 05:57
User Badges:
  • Silver, 250 points or more

ah, well in that case it sounds like the VPN isnt connecting the session with its own group policy.

FWIW this doc ( says the ASA supports the vpn 3000 attributes... so you should be able to set it using the CVPN-XXXX VSAs defined in ACS :)

laurabriscoe Wed, 07/15/2009 - 07:42
User Badges:

Yes you are right and I have those attributes on and showing in my group settings. I have the [3076\050] Authenticated-User-Idle-Timeout checked and have set the value to both 1800 (in case was seconds) and 30 for minutes but it never times the session out if idle.

Maybe I'm using the wrong stuff - my goal is to have a user disconnected from the vpn session if they are idle for 30 minutes. I know they are connecting with that group's settings because I am also using downloadable ACL's from the ACS to control their access and that is working.

darpotter Thu, 07/16/2009 - 00:37
User Badges:
  • Silver, 250 points or more

Look like you need to open a TAC case against the ASA server.

Its one thing to list a load of old vpn 3K VSAs and say they are "supported" by the PIX/ASA.. that just means it wont barf if you send them. Its another thing to say that they are "fully supported".

Clearly the idle timeout VSA is not fully supported.


This Discussion