Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
271
Views
0
Helpful
2
Replies

Want ACS to terminate vpn connection after a specific amount of time

mohammed.ibrahim
Level 1
Level 1

‎10-30-2002 11:32 PM - edited ‎02-21-2020 12:09 PM

I have a pix 520 ver 6.2 to which I am having remote users vpn into using vpn 3000 client 3.5. The users are authenticated by ACS using radius and a per user access-list is downloaded for each user defining the networks he can reach. I am also doing split tunneling. The question now I have is

1 Is there any way for the ACS server (3.0) using radius to to disconnect the vpn connection for that user after a specified time say 2hrs of conectivity (please don't confuse this with idle timeout). I know it is possible using Tacacs+ and verified it but I am forced to use the radius protocol because I also want to download a peruser access-list to the pix. Also if it is possibe using any special radius attributes can some one provide or show me any link I can go through to configure the same. Also if it is not possible is there any plans of pix supporting download of per user access-list using tacacs+. Any help would be appreciated.

Labels:
0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎10-31-2002 03:53 PM

You could use the Downloadable PIX ACL functionality in ACS 3.0 and PIX 6.2 to download per-user ACL's. That way you could then use TACACS for the PIX and your timeout would work.

Go under the Shared Profile Components section of the ACS GUI and create your access-lists, these can then be downloaded on a per-user basis. Note that you may have to enable these per-user by going under Interface Config - Advanced Options and checking the "User-Level Downloadable ACLs" checkbox.

0 Helpful

mohammed.ibrahim
Level 1
Level 1
In response to gfullage

‎10-31-2002 10:49 PM

Thanks for your reply. I have setup the pix and the ACS the same way you have specified. The problem is for pix to support downloadable ACL's you have to use raduis as the protocol between the pix and the ACS. If I use tacacs+ I as the protocol between the pix and the ACS I cannot use the acl downloadable feauture (it is a restriction of the pix it supports only radius for the acl downloadable feature.) Now is there any way to enforce the timeout feature using radius (using any special attributes) or is there any other way to do the same. Any help will be appreciated.

0 Helpful
Customers Also Viewed These Support Documents