Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1645
Views
0
Helpful
5
Replies

setting remote access vpn idle timeout via Secure ACS server

laurabriscoe
Level 1
Level 1

‎07-14-2009 02:09 PM - edited ‎03-10-2019 04:35 PM

I am using Secure ACS 4.2 Radius to authenticate ipsec vpn clients. There are two different groups of users with different downloadable ACLs and rights. I would like to set the vpn-idle-timeout to different values for each group. I have tried using the IETF Radius attribute setting but it does not work. Can I do this via Secure ACS? If so, how?

Labels:
0 Helpful
5 Replies 5

darpotter
Level 5
Level 5

‎07-15-2009 01:43 AM

The RADIUS Idle-Timeout attribute probably should work with Cisco VPN gear.

The 3000 range of concentrators have a VSA called "CVPN3000-Authenticated-User-Idle-

Timeout" that might work depending on your vpn server type.

Otherwise, talk to the vendor and find out if they support vendor specific attributes to set the idle timeout.

0 Helpful

laurabriscoe
Level 1
Level 1
In response to darpotter

‎07-15-2009 05:05 AM

Thanks for the response. I am actually using it with an ASA 5510 for vpn access so you'd think it would work. For some reason even if I have the vpn-idle-timeout set for the group policy on the ASA it is not timing out. I am running 8.0.(4)16 on the ASA.

0 Helpful

darpotter
Level 5
Level 5
In response to laurabriscoe

‎07-15-2009 05:57 AM

ah, well in that case it sounds like the VPN isnt connecting the session with its own group policy.

FWIW this doc (http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/ad.pdf) says the ASA supports the vpn 3000 attributes... so you should be able to set it using the CVPN-XXXX VSAs defined in ACS :)

0 Helpful

laurabriscoe
Level 1
Level 1
In response to darpotter

‎07-15-2009 07:42 AM

Yes you are right and I have those attributes on and showing in my group settings. I have the [3076\050] Authenticated-User-Idle-Timeout checked and have set the value to both 1800 (in case was seconds) and 30 for minutes but it never times the session out if idle.

Maybe I'm using the wrong stuff - my goal is to have a user disconnected from the vpn session if they are idle for 30 minutes. I know they are connecting with that group's settings because I am also using downloadable ACL's from the ACS to control their access and that is working.

0 Helpful

darpotter
Level 5
Level 5
In response to laurabriscoe

‎07-16-2009 12:37 AM

Look like you need to open a TAC case against the ASA server.

Its one thing to list a load of old vpn 3K VSAs and say they are "supported" by the PIX/ASA.. that just means it wont barf if you send them. Its another thing to say that they are "fully supported".

Clearly the idle timeout VSA is not fully supported.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents