Cisco AAA/Identity/Nac :: ACS 5.1 Active Sessions Are Over Limit Warning?
Jan 14, 2011
We are using ACS 5.1 and from time to time we are getting a warning saying that the active sessions are over the limit (250000). It is just a warning, so my assumption is that its not a big deal, but how do we keep from getting the event, or prevent the event?
I've looked at the forum posts and the document post, and I understand the explanations. My question is, under system administration>max user session global settings, would setting a timeout (say 1 hour) purge these sessions?
Under access policies, I am not enforcing max concurrent sessions per user, due to some of our devices using a generic log in. But if I understand the explanation, and my understanding might be wrong, then setting an expiry timeout should purge the accounting sessions, right?
I have recently enabled the SMTP alert function in ACS 5.3. It seems to work well for most of the alerts. One thing though, the active sessions are over limit warning that comes up every so often. I know it is not impacting operations and it is ACS's way of clearing out sessions that had no accounting stop, but how do I disable this alert from being sent by e-mail from ACS 5.3?
I have the default license for a ASA 5505 and this last Friday I received the attached log for SSH sessions through this firewall; we want to be clear about this issue. This limitation has to be with the 10 Inside Host or the Total VPN Peers limitations in this license? This firewall exists only to agree with a PCI requirement between our router and a communication with a Payment Card Industry Brand, all of this in the same site.
We are using ACS 5.1 in our network. We have created users and grouped them as per the requirements. We want to restrict the user sessions in the network. A user should authenticate and able to access a network resource. But when he is active with that session, we need to block him from another successful authentication. We want to avoid multiple users using same user credentials for logging into the devices. whether this can be achieved by making configuration changes in ACS.
I have a hub and spoke network with over 100 remote sites that connect to me via ipsec vpn. One of these locations, the only one using FIOS coincidently, is initiating 200+ tunnels back to my side which is causing saturation issues on my DS3. (I can post config if requested), and how can I limit the number of active tunnels it's establishing?
we use an asa5520 like vpn termination point, asa uses acs5.3 for authentication purpose, and all seems to work properly,but acs5.3 doesn't purge user sessions when vpns terminate; I can see many user "logged-in" into menu System Administration --> Users --> Purge User Sessions; this is a problem, because we have configured max session per user how can avoid this problem? is there any new configuration to implement into asa?
we need to configure max session per user, but there is only a global option applyed to all users.how can we configure user accounting? we need to know how long a user is connected via vpn session.
We are using ACS 5.2 and we are trying to create a Microsoft Active Directory (AD) Identity Store. We have a user to be used in the Active Directory creation General page and we would like to know how the test communication / ACS to AD communication takes place.
Our user is a predefined user in AD and has admin rights, but the password expires every 60 days. Will this affect the communication between AD and ACS 5.2 at everytime the entered user's password expires?
Few days ago in my wireless infrastrucer i deploy Cisco ACS 5.0 with Active directory integration. My wireless users are login through web authentication process. The authentication process is passed by AD & its working fine. But i want to do a work on my ACS 5.0 that a user cannot login simultaneously multiple device at a time.
I have installed ACS 5.2 and configured it to join the Company's Domain as an External database with Active directory 2008. I'm facing a problem that the user once authenticated using it's active directory account it's cached in the ACS and take a while for the ACS to clear this username. For example, if user TEST authenticates and then we removed this user from the AD and then tried again; it authenticates although this users is removed from the AD !!! same thing happens when we change the user group on the AD, it takes a while for the ACS to clear the old user attributes and get the new ones from the AD.
it there an aging time for this caching mechanism, or can i clear the dynamic users manually just like in ACS 4.X ?
Seems to me that regardless of the command set that once you allow a user into Config mode all bets are off. I want to allows certain users only certain actions (like assinging ports to a different vlan) but once in Config mode none of them matter, and the user has free reign.
1. Is it even possible to restrict which commands a users has under Config mode?
2. If so, is there a specific way withing ACS 5.3 or on the router/switch itself that this needs to be defined?
I have a pair of ASA 5520s operating in failover pair as active/standby, having two contexts on them. I am planning to share the load and make it active/active making first context active on the primary unit and second context active on the secondary unit. My question is if this will disrupt any connectivity thru these firewalls when I do "no failover" on the active/standby and assign the contexts to different failover groups and enable the failover back.
I'm attempting to integrate an acs 5v into the domain through the gui. The connection will establish, and the status will read 'connected', just as it lists the domain I've submitted. However, I can't seem to find anything listed under the directory groups, and when I run a connection test, I simply get 'Global Catalogue port status error.' Eventually, I'd like to configure this as a radius server.
question 1. in the typical active directory environment and doing wireless/wired 802.1x authentication on endpoints, should ACS join as a domain computer?
question 2. for the endpoint (domain computer) join the domain, in this case is the endpoint will trust the ACS ( also domain computer) ?
question 3. what if there's a GPO policy to install the rootCA certificate toward the endpoints. In this case, ACS should issue the CSR and let the domain CA to signed as the identity certificate? Am i correct?
I am working with ACS 5.2 and using Radius authentication for vpn client.
The authentication method used is Active Directory in an Windows enviroment with multiple domains in the same forest.
My problem occurs when i change a user from one group to another in Active Directory. After that i receive the following message when try to connect:
15039 Selected Authorization Profile is DenyAccess
The message is because match the default policy. Another user in the same AD group works fine. All domain in the forest have trust relation each other. I am using universal groups to include users from all domain belongs this forest.
A customer uses Active Directory where some group names contain special characters (ç ~ '^). The Cisco ACS 5.2 is presenting the warnings: "Not all Active Directory user groups are retrieved successfully. One or more of thegroup's canonical name was not retrieved "(Category CSC Oacs_ Identity_ Stores_Diagnostics; code 24457).
What are the results of these warnings to the customer's network? Slow? Loss of access?
configure the Cisco ACS to authenticate the users from MS Active Directory. Cisco Acs = 4.2.1(15)Currently, i have multiple users configured as local databse. but now i want to authenticate with the domain users.
we have TACACS+ based AAA on our network equipment, authenticating against internal user database on a network of ACS 5.3s.What I want is to limit certain AAA users (namely automated tools) to be only permitted to authenticate from a list of known IPs.I can do this for authorization, easily, that isn't a problem. The problem is to only accept authentication attempts coming from certain IPs and ignore the rest. My problem is, as it is currently, the automated tools are prone to a sort of a DoS attack - if I attempt logging in to any device using the tool's user account and a wrong password, I can get the account disabled in five tries.
I want to ignore all authentication attempts, unless they are coming from well known source IPs.Ex: netmon user is the user for a tool running on server 10.20.30.40. If I try to log in from my own laptop with user netmon, it should fail, and the attempt ignored. Currently after five (or whatever is configured) failed attempts, the user will be disabled. Oly attempts from 10.20.30.40 should be considered for user netmon.I can't use ACLs on the devices, as I want other users to be able to log in from other IPs.
We are still running ACS 4.1 on Window 2003 server. We recently upgraded AD to 2008 although the domain and forest functional level are still 2003. After AD upgrade we now unable to authenticate via ACS Windows Database.
I have just recently purchased a 5505 Controller and 30 3502i AP's. On my main corporate WLAN, I would like to allow users to be able to authenticate via Active Directory username and password.I am also looking for as little client side set up as possible. From what I have researched, I will need to use some type of EAP method.
I have come across two methods that appear to be the top contenders.
EAP-FAST - The method seems to be a possibility but I see that it uses certificates. If I use this method, does it mean that I would have to import the certificates to each machine manually? Also, can I configure thsi to work with just the 5508 Controller and an AD Database server or do I need an intermediary like IAS or ACS?
PEAP/GTC - This method is also a possibility and I think that it does not require certificates. Does this also require an intermediary like ACS or IAS.
We have 2 CSACS 1121 with Cisco ACS 220.127.116.11.10 The primary server manages 20000+ authentications per day. Its memory utilization increases everyday. It is now at 83% , there a limit?,What will happen when memory utilization reach this limit?,What can we do to purge memory utilization? (reboot, service restart.
i have installed system (Windows Server 2003) and i have configure Active directory for testing and configure one user under it ( TEST01)now on the same machine i have installed Cisco ACS 4.2.i'm trying to Authenticate (TEST01) using ACS but it's not working, i can't even see the logs under EVENTVIWER. simple and easy to configure since both AD and ACS is on the same machine.
I need to change the username and password ACS uses to connect to AD. I do a "clear configuration" and reboot and am unable to join the ACS appliance back into my AD with a different username and password. I am able to rejoin the ACS machine to the domain using the original username and pass. how to clear all of the AD config off of the appliance and start fresh and use a new account to join AD?
customer provide quite large network with dot1x deployment - there is dual ACS5.3 servers for authentication Wired, VPN and WiFi access. Users (and computers) are mostly authenticated against Active Directory - there are several AD servers in the network.I found there is tens of cases every day with error message:24401 Could not establish connection with ACS Active Directory agent.This happens in random day and night time regardless on current authentication load. how to diagnose this more deeply? Or where to look for – is it problem with internal communication with AD Agent or is the problem in communication AD agent to AD servers? How is solved redundancy in case one AD server is not accessible – as there is no such setting in the AD connection configuration in ACS.
I know that our VPN users currently use Active Directory to authenticate their VPN sessions, so now I'm wondering if there is an easy way to configure my company's Cisco ASA 5510 to use either a Windows Server 2008 R2 Active Directory group (preferred method) or specific Active Directory users (less preferred) and authenticate them for management access (privilege level 15) using their Active Directory credentials. I do not want this to change the IP range used for ASDM/HTTPS/Telnet/SSH access (currently all local networks, no VPN), as those are settings that my company does not want changed.