Txs for the reply. However, it does not do what it is intended.
Upon dial-up, I will be able to access the network "more than 4hrs"(even 5hrs) until I logout. After login again then I will be denied access to the network. I thought the ACS will account once it reaches 4hrs, it should disconnect the user. It looks like the ACS did not issue a command to disconnect the user once reached the limit access time. looks like the limit time is not issued to the RAS.
Any idea how it can be resolved? Below is my aaa commands on the RAS.
AS5350 AAA Commands
aaa authentication login default local group radius enable
aaa authentication login console enable
aaa authentication ppp default group radius
aaa authorization network default group radius
aaa accounting update periodic 5
aaa accounting network default start-stop group radius
Yip, I have tested this now using ACS3.2 with telnet access. The usage quota did work - halfway. I have set the group usage quota to 0.5 ( half and hour ) and opened a telnet session to the router. I configured:
"aaa acconting update periodic 2"
In ACS under the Network Configuration I enabled "Log Update/Watchdog Packets from this AAA Client" for that AAA client.
So 30 minutes past and I was not "kicked" off. But upon attempting to relogin, authentication failed. In the ACS Failed Attempts report the Authen-Failure-Code was "Users Usage Quota has been exhausted". So it does work.
But as you said, ACS does not seem to "kick" off a user who has exceeded a given quota. I will see if I can find any thing more on this. Because this a magnificant feature - if only it would work right.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...