Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Want ACS to terminate vpn connection after a specific amount of time

I have a pix 520 ver 6.2 to which I am having remote users vpn into using vpn 3000 client 3.5. The users are authenticated by ACS using radius and a per user access-list is downloaded for each user defining the networks he can reach. I am also doing split tunneling. The question now I have is

1 Is there any way for the ACS server (3.0) using radius to to disconnect the vpn connection for that user after a specified time say 2hrs of conectivity (please don't confuse this with idle timeout). I know it is possible using Tacacs+ and verified it but I am forced to use the radius protocol because I also want to download a peruser access-list to the pix. Also if it is possibe using any special radius attributes can some one provide or show me any link I can go through to configure the same. Also if it is not possible is there any plans of pix supporting download of per user access-list using tacacs+. Any help would be appreciated.

Cisco Employee

Re: Want ACS to terminate vpn connection after a specific amount

You could use the Downloadable PIX ACL functionality in ACS 3.0 and PIX 6.2 to download per-user ACL's. That way you could then use TACACS for the PIX and your timeout would work.

Go under the Shared Profile Components section of the ACS GUI and create your access-lists, these can then be downloaded on a per-user basis. Note that you may have to enable these per-user by going under Interface Config - Advanced Options and checking the "User-Level Downloadable ACLs" checkbox.

New Member

Re: Want ACS to terminate vpn connection after a specific amount

Thanks for your reply. I have setup the pix and the ACS the same way you have specified. The problem is for pix to support downloadable ACL's you have to use raduis as the protocol between the pix and the ACS. If I use tacacs+ I as the protocol between the pix and the ACS I cannot use the acl downloadable feauture (it is a restriction of the pix it supports only radius for the acl downloadable feature.) Now is there any way to enforce the timeout feature using radius (using any special attributes) or is there any other way to do the same. Any help will be appreciated.

CreatePlease login to create content