cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
895
Views
0
Helpful
5
Replies

ASA CUT-THROGH PROXY CONCURRENT LOGIN

riccardo-patti
Level 1
Level 1

Hi all,

Does anybody know a method to limit a username login to only one per session? I mean when user A does a successfully login, nobody can not login with the same username of user A.

Any help would be appreciated.

Riko

5 Replies 5

Hi,

Which method of cut-through proxy authentication are you using? http, ftp, telnet?

Are you positive that after a user authenticates itself against the ASA, and it shows under ''sh uauth'', another user can connect with the same credentials?

I haven't done the test, but I thought that while there was an entry in the uauth table, no other user can connect with the same credentials. Please verify this and if that's the case, post the output of the ''show uauth'.

Federico.

Hi,

I am using cut-through proxy authemtication for http.

I can logon with the same user from 2 different pc's simultaneously as shown below:

PIX# sh uauth
                             Current         Most Seen
Authenticated Users       2          2
Authen In Progress        0          1
user 'test' at 192.168.0.2, authenticated
   absolute   timeout: 0:05:00
   inactivity timeout: 0:00:00
user 'test' at 192.168.0.3, authenticated
   absolute   timeout: 0:05:00
   inactivity timeout: 0:00:00
PIX#

Any ideas?

I have found this:

To manually configure the uauth session limit by setting the maximum number of concurrent proxy connections allowed per user, use the aaa proxy-limit command in global configuration mode. To disable proxies, use the disable parameter. To return to the default proxy-limit value (16), use the no
form of this command.

aaa proxy-limit (proxy_limit)

I will this try asap.

Riko

The command aaa proxy-limit did not resolve the problem: it regards the concurrent login attempt, not the concurrent user session.....

This is interesting, I know that if you're authenticating against another server for instance ACS, you can set up that, but locally on the ASA I'm not sure.

ASA(config)# aaa local authentication attempts max-fail ?

configure mode commands/options:
  <1-16>  Specify the value for max failed attempts (1 - 16)

The previous command was for the amount of tries given to a user.

To be able to limit the amount of connections per user (using the local database of the ASA) I have not found an option.

I will try to check and get back to you.

Federico.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: