Single Session per Authentication/MAC

Unanswered Question
Aug 31st, 2012
User Badges:

Hi All


We are in process to deploy a wireless for a customer with ACS, where we want A single User/machine to have a login checked with External Identity store and have only one session at a time.


i.e. if User A logged in with Machine A, he should not be able to use Machine B for the same authentication even if the Machine B is having MAC authenticated, (please note that MAC Authentication is not necessory but one user should use only one machine)



I am a little new to the ACS/Wireless, any help would be highly appriciated.


Many thanks for reading me.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Bastien Migette Fri, 08/31/2012 - 01:35
User Badges:
  • Cisco Employee,

Hi tarun,


I think you are looking for the new feature in ACS 5.3:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/release/notes/acs_53_rn.html#wp195861


Maximum user sessions

Allows you to restrict the user from too many concurrent user sessions. The permitted number of concurrent user sessions is between 1 and 65535.

For more information on this see:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/access_policies.html#wp1176806




Hope this help

youthonprogress Tue, 09/04/2012 - 03:08
User Badges:

Hi Bastien


Thanks for you answere, I have tried to put this in place but unable to succeed in any ways. It doesnt work for me. May be I am not configuring it properly.


The user is getting access in all possible logins. I am using RADIUS and have enabled the Auth and Acc both from WLC. Even I can see the Auth and Acc messages in the ACS Logs.


Any Help Guys!


Thanks in advance.

Bastien Migette Tue, 09/04/2012 - 03:20
User Badges:
  • Cisco Employee,

Hello Tarun,


In this menu:

System Administration > Users > Max User Session Global Settings

You can define the Radius Session Attribute that will be identified to uniquely identify Sessions. Please make sure that your NAD send all of these attributes on the accounting start and that they are identidical on all attempts for the same user. You may also try to use more permissive session keys, like only username for example.

More info here:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/access_policies.html#wp1163339


If that doesn't work, maybe you should open a TAC Case.


Regards,
Bastien

Actions

This Discussion

Related Content