Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

setting remote access vpn idle timeout via Secure ACS server

I am using Secure ACS 4.2 Radius to authenticate ipsec vpn clients. There are two different groups of users with different downloadable ACLs and rights. I would like to set the vpn-idle-timeout to different values for each group. I have tried using the IETF Radius attribute setting but it does not work. Can I do this via Secure ACS? If so, how?

5 REPLIES
Silver

Re: setting remote access vpn idle timeout via Secure ACS server

The RADIUS Idle-Timeout attribute probably should work with Cisco VPN gear.

The 3000 range of concentrators have a VSA called "CVPN3000-Authenticated-User-Idle-

Timeout" that might work depending on your vpn server type.

Otherwise, talk to the vendor and find out if they support vendor specific attributes to set the idle timeout.

New Member

Re: setting remote access vpn idle timeout via Secure ACS server

Thanks for the response. I am actually using it with an ASA 5510 for vpn access so you'd think it would work. For some reason even if I have the vpn-idle-timeout set for the group policy on the ASA it is not timing out. I am running 8.0.(4)16 on the ASA.

Silver

Re: setting remote access vpn idle timeout via Secure ACS server

ah, well in that case it sounds like the VPN isnt connecting the session with its own group policy.

FWIW this doc (http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/ad.pdf) says the ASA supports the vpn 3000 attributes... so you should be able to set it using the CVPN-XXXX VSAs defined in ACS :)

New Member

Re: setting remote access vpn idle timeout via Secure ACS server

Yes you are right and I have those attributes on and showing in my group settings. I have the [3076\050] Authenticated-User-Idle-Timeout checked and have set the value to both 1800 (in case was seconds) and 30 for minutes but it never times the session out if idle.

Maybe I'm using the wrong stuff - my goal is to have a user disconnected from the vpn session if they are idle for 30 minutes. I know they are connecting with that group's settings because I am also using downloadable ACL's from the ACS to control their access and that is working.

Silver

Re: setting remote access vpn idle timeout via Secure ACS server

Look like you need to open a TAC case against the ASA server.

Its one thing to list a load of old vpn 3K VSAs and say they are "supported" by the PIX/ASA.. that just means it wont barf if you send them. Its another thing to say that they are "fully supported".

Clearly the idle timeout VSA is not fully supported.

956
Views
0
Helpful
5
Replies
CreatePlease to create content