ASA CUT-THROGH PROXY CONCURRENT LOGIN

Unanswered Question
Mar 10th, 2010
User Badges:

Hi all,


Does anybody know a method to limit a username login to only one per session? I mean when user A does a successfully login, nobody can not login with the same username of user A.



Any help would be appreciated.


Riko

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Wed, 03/10/2010 - 09:35
User Badges:
  • Green, 3000 points or more

Hi,


Which method of cut-through proxy authentication are you using? http, ftp, telnet?


Are you positive that after a user authenticates itself against the ASA, and it shows under ''sh uauth'', another user can connect with the same credentials?


I haven't done the test, but I thought that while there was an entry in the uauth table, no other user can connect with the same credentials. Please verify this and if that's the case, post the output of the ''show uauth'.


Federico.

riccardo-patti Wed, 03/10/2010 - 14:47
User Badges:

Hi,


I am using cut-through proxy authemtication for http.


I can logon with the same user from 2 different pc's simultaneously as shown below:


PIX# sh uauth
                             Current         Most Seen
Authenticated Users       2          2
Authen In Progress        0          1
user 'test' at 192.168.0.2, authenticated
   absolute   timeout: 0:05:00
   inactivity timeout: 0:00:00
user 'test' at 192.168.0.3, authenticated
   absolute   timeout: 0:05:00
   inactivity timeout: 0:00:00
PIX#


Any ideas?

riccardo-patti Thu, 03/11/2010 - 04:36
User Badges:

I have found this:


To manually configure the uauth session limit by setting the maximum number of concurrent proxy connections allowed per user, use the aaa proxy-limit command in global configuration mode. To disable proxies, use the disable parameter. To return to the default proxy-limit value (16), use the no
form of this command.


aaa proxy-limit (proxy_limit)


I will this try asap.


Riko

riccardo-patti Thu, 03/11/2010 - 04:56
User Badges:

The command aaa proxy-limit did not resolve the problem: it regards the concurrent login attempt, not the concurrent user session.....

Federico Coto F... Thu, 03/11/2010 - 11:36
User Badges:
  • Green, 3000 points or more

This is interesting, I know that if you're authenticating against another server for instance ACS, you can set up that, but locally on the ASA I'm not sure.


ASA(config)# aaa local authentication attempts max-fail ?

configure mode commands/options:
  <1-16>  Specify the value for max failed attempts (1 - 16)


The previous command was for the amount of tries given to a user.


To be able to limit the amount of connections per user (using the local database of the ASA) I have not found an option.

I will try to check and get back to you.


Federico.

Actions

This Discussion