Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1004
Views
0
Helpful
3
Replies

ACS 5.5 - AD user session limit

Sohail Muhammad
Level 1
Level 1

‎03-29-2014 08:52 AM - edited ‎03-10-2019 09:35 PM

Hi all, 

I have been looking for the solution of my problem since quite long but still no luck. My client needs to restrict Active Directory users to login to one device at a time and he wants this to be done by ACS. He has been using ACS 4.2 and he has recently upgraded it to version 5.5. I have tried the Maximum user session limit option but it is not working as per the requirement. Is there any way that this can be achieved? The limit needs to be applied on Per user basis as some of the executives need to be excluded as well. Looking forward for your response.

Regards, Sohail

3 people had this problem
Labels:
0 Helpful
3 Replies 3

Jatin Katyal
Cisco Employee
Cisco Employee

‎03-30-2014 12:46 AM

 

Hi Sohail, 

We need to keep in mind that:

To make the maximum sessions work for user access like wireless, vpn etc, the administrator should configure RADIUS accounting.

To make the maximum sessions work for device management, the administrator should configure TACACS+ session authorization and accounting

 

For optimal performance, you can limit the number of concurrent users accessing network resources. ACS 5.5 imposes limits on the number of concurrent service sessions per user.
The limits are set in several different ways. You can set the limits at the user level or at the group level. Depending upon the maximum user session configurations, the session count is applied to the user.

 

The below listed link may come handy while confguring the same feature.

http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-5/user/guide/acsuserguide/access_policies.html#pgfId-1176806

Hope this helps.

 

Regards,

Jatin Katyal

*Do rate helpful posts*

 

 

~Jatin
0 Helpful

habib.souag
Level 1
Level 1

‎08-02-2014 02:42 AM

I'm having the same problem on our network using ACS VM 5.5 with the latest update patch, it is used to authenticate wireless users from a Cisco WLC 4402 7.0.220 using aaa radius, authentication and accounting is working fine acs is receiving radius start / stop accounting messages but user session limit for a group is set to 1 but not working, users are authenticated either via AD with group mapping to a local identity group or a local internal user from a specific identity group, the issue is for both type of users
0 Helpful

Aleksey Bolotin
Level 1
Level 1

‎01-28-2015 11:46 PM

Hello, everyone!

I have the same problem. ACS 5.5.0.46.7, WLC 5508, authentication with AD.

I made AD group mapping, configured RADIUS accounting (I can see "start"  and "stop" RADIUS messages in log). All things work fine (Group mapping works right, authentication passing is OK). But  the maximum session for one user restriction doesn't work at all. I tried to make it at global and at group level, but ACS just ignore this condition.

Do you have any idea how to troubleshoot this problem? 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents