Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1449
Views
0
Helpful
3
Replies

Limit Network Access to 4hrs per day

zulbn
Level 1
Level 1

‎01-04-2004 10:09 PM - edited ‎03-10-2019 07:37 AM

Hi, I am trying to to allow my remote dialin user to have access to my network only for 4hrs per day. I am using acs 3.0 for windows and a AS5350 router.

#I have done the follwoing on the acs 3.0.

-enable the "Usage Quota" to 4hrs per day

#I have added the following on the AS5350:-

interface Virtual-Template1

timeout absolute 240 0

ppp timeout idle 600

However the user still able to logon more than 4hrs per day as the time is reset back to 4hrs each time they re-login.

Anyone have a solution to this.

Labels:
0 Helpful
3 Replies 3

pvanvuuren
Level 3
Level 3

‎01-04-2004 11:01 PM

Hi, the commands on your Virtual-Template1 is not needed, because ACS will do the time limit feature. You must remove it for ACS to do it's thing.

Then check that this command is entered on your ACS 5350. (I'm asuming you're using radius.)

aaa authorization network default group radius none

Hope this helps.

0 Helpful

zulbn
Level 1
Level 1
In response to pvanvuuren

‎01-19-2004 08:00 PM

Hi there,

Txs for the reply. However, it does not do what it is intended.

Upon dial-up, I will be able to access the network "more than 4hrs"(even 5hrs) until I logout. After login again then I will be denied access to the network. I thought the ACS will account once it reaches 4hrs, it should disconnect the user. It looks like the ACS did not issue a command to disconnect the user once reached the limit access time. looks like the limit time is not issued to the RAS.

Any idea how it can be resolved? Below is my aaa commands on the RAS.

Rgds,

:)zul

AS5350 AAA Commands

===================

aaa authentication login default local group radius enable

aaa authentication login console enable

aaa authentication ppp default group radius

aaa authorization network default group radius

aaa accounting update periodic 5

aaa accounting network default start-stop group radius

aaa session-id common

+++++++++++++++

0 Helpful

pvanvuuren
Level 3
Level 3
In response to zulbn

‎01-20-2004 02:50 AM

Yip, I have tested this now using ACS3.2 with telnet access. The usage quota did work - halfway. I have set the group usage quota to 0.5 ( half and hour ) and opened a telnet session to the router. I configured:

"aaa acconting update periodic 2"

In ACS under the Network Configuration I enabled "Log Update/Watchdog Packets from this AAA Client" for that AAA client.

So 30 minutes past and I was not "kicked" off. But upon attempting to relogin, authentication failed. In the ACS Failed Attempts report the Authen-Failure-Code was "Users Usage Quota has been exhausted". So it does work.

But as you said, ACS does not seem to "kick" off a user who has exceeded a given quota. I will see if I can find any thing more on this. Because this a magnificant feature - if only it would work right.

Cheers.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents