Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS 5.3 deny onward ssh & telnet

Hi folks,

I have a query about restricting users in a specific user group. The restriction is to stop a user from connecting onwards to another device once that user is already logged on to a Cisco networking device. So essentially blocking the telnet and ssh commands.

I had this working previously but I have been troubleshooting a CHAP authentication bug for the past few months with TAC so I cannot recall how I done it the first time.

Initially I tried to build the restriction in 'Command Sets' but that doesn't work;I think I had built the restriction somewhere else the first time round but the memory escapes me. Any advice would be appreciated.

I have attached a screenshot of the 'Command sets' and the 'Access policy' configuration that did not work as expected. I can see in the AAA  Tacacs authentication log file that the onward connection via ssh was matched and allowed

P.S I even tried restricting all commands for the user profile in the command sets but telnet and ssh still work.                    



Cisco Employee

ACS 5.3 deny onward ssh & telnet

I think you may be referring to the Max Sessions feature

Can go to

Access Policies > Max User Session Policy > Max Session User Settings and define the maximum sessions for a users in a group

Feature is dependent on accounting for accurate session tracking

New Member

ACS 5.3 deny onward ssh & telnet

Yes, yes, yes; thank you Jrabinow, can't believe I didin't see it right infront of my eyes. thank you

CreatePlease login to create content