Cisco Support Community
Community Member

ACS 5.5 - AD user session limit

Hi all, 

I have been looking for the solution of my problem since quite long but still no luck. My client needs to restrict Active Directory users to login to one device at a time and he wants this to be done by ACS. He has been using ACS 4.2 and he has recently upgraded it to version 5.5. I have tried the Maximum user session limit option but it is not working as per the requirement. Is there any way that this can be achieved? The limit needs to be applied on Per user basis as some of the executives need to be excluded as well. Looking forward for your response.

Regards, Sohail

Cisco Employee

 Hi Sohail, We need to keep


Hi Sohail, 

We need to keep in mind that:

To make the maximum sessions work for user access like wireless, vpn etc, the administrator should configure RADIUS accounting.

To make the maximum sessions work for device management, the administrator should configure TACACS+ session authorization and accounting


For optimal performance, you can limit the number of concurrent users accessing network resources. ACS 5.5 imposes limits on the number of concurrent service sessions per user.
The limits are set in several different ways. You can set the limits at the user level or at the group level. Depending upon the maximum user session configurations, the session count is applied to the user.


The below listed link may come handy while confguring the same feature.

Hope this helps.



Jatin Katyal

*Do rate helpful posts*



~Jatin Katyal
Community Member

I'm having the same problem

I'm having the same problem on our network using ACS VM 5.5 with the latest update patch, it is used to authenticate wireless users from a Cisco WLC 4402 7.0.220 using aaa radius, authentication and accounting is working fine acs is receiving radius start / stop accounting messages but user session limit for a group is set to 1 but not working, users are authenticated either via AD with group mapping to a local identity group or a local internal user from a specific identity group, the issue is for both type of users
Community Member

Hello, everyone!I have the

Hello, everyone!

I have the same problem. ACS, WLC 5508, authentication with AD.

I made AD group mapping, configured RADIUS accounting (I can see "start"  and "stop" RADIUS messages in log). All things work fine (Group mapping works right, authentication passing is OK). But  the maximum session for one user restriction doesn't work at all. I tried to make it at global and at group level, but ACS just ignore this condition.

Do you have any idea how to troubleshoot this problem? 

CreatePlease to create content