acs user database

Unanswered Question
Nov 4th, 2009

Can I limit the number that can use a specific user entry to 1 at a time in acs

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
ansalaza Wed, 11/04/2009 - 10:14

Hi, do you mean the number of times that user can login? If so, that would depend on setting up accounting on the AAA Client that the User is logging into...

Having accounting enabled would allow ACS to know how many times the user has logged in, and therefore, you can limit the number of connections to only one.

User Setup, look for: Max Sessions

darpotter Thu, 11/05/2009 - 01:37

Before using the Max Sessions feature check your accounting start/stops messages first.

For the feature to work both start & stop packets must have the NAS-Port attribute AND it must contain the SAME UNIQUE value in the both start/stop packets that matches the value from the authentication request.

You'd be surprised how many devices dont do this - particularly VPN and Wireless that dont have physical ports.

If these conditions aren't met max sessions will not work and you end up with users not being able to connect.

whanson Thu, 11/05/2009 - 03:32

thanks a bunch. I take it then that since this is wireless it can't be done.

darpotter Fri, 11/06/2009 - 03:06

I wouldnt say it cant be done... but you have to look and make sure the NAS-Port attribute looked sensible. Going back a few years I know Aironet, for example, was quite tricky to make work with max sessions.

The other thing is that because wifi comes and goes its hard for the AP to know when the session has finished. Max sessions was implemented with Dial in mind (yes thats how old it is!!!) ie real physical ports.

With wifi you could look at the number of mac ids in user by a user at any one time as a way to control concurrent sessions.

No not impossible, but probably unlikely to work reliably.


This Discussion