Cisco AAA/Identity/Nac :: ACS 5.1 Active Sessions Are Over Limit Warning?

Jan 14, 2011

We are using ACS 5.1 and from time to time we are getting a warning saying that the active sessions are over the limit (250000).  It is just a warning, so my assumption is that its not a big deal, but how do we keep from getting the event, or prevent the event?

View 2 Replies


Cisco AAA/Identity/Nac :: ACS 5.4 - Active Sessions Over The Limit

Jan 1, 2013

I've looked at the forum posts and the document post, and I understand the explanations. My question is, under system administration>max user session global settings, would setting a timeout (say 1 hour) purge these sessions?
Under access policies, I am not enforcing max concurrent sessions per user, due to some of our devices using a generic log in. But if I understand the explanation, and my understanding might be wrong, then setting an expiry timeout should purge the accounting sessions, right?

View 4 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 - Active Sessions Are Over Limit Email Alert

Aug 19, 2012

I have recently enabled the SMTP alert function in ACS 5.3. It seems to work well for most of the alerts. One thing though, the active sessions are over limit warning that comes up every so often. I know it is not impacting operations and it is ACS's way of clearing out sessions that had no accounting stop, but how do I disable this alert from being sent by e-mail from ACS 5.3?

View 3 Replies View Related

Cisco :: ASA 5505 Licensed Limit For SSH Sessions?

Sep 11, 2011

I have the default license for a ASA 5505 and this last Friday I received the attached log for SSH sessions through this firewall; we want to be clear about this issue. This limitation has to be with the 10 Inside Host or the Total VPN Peers limitations in this license? This firewall exists only to agree with a PCI requirement between our router and a communication with a Payment Card Industry Brand, all of this in the same site.
ASA5505 <164>Sep 09 2011 10:42:08: %ASA-4-450001: Deny traffic for protocol 6 src DMZ:X.X.X.X/2479 dst DMZ1:X.X.X.X/22, licensed host limit of 10 exceeded.
I hope that the communications through 22 TCP port, are not countable for license propose.
Licensed features for this platform:
Maximum Physical Interfaces  : 8
VLANs                        : 3, DMZ Restricted
Inside Hosts                 : 10
Failover                     : Disabled
VPN-DES                      : Enabled


View 1 Replies View Related

Cisco VPN :: How To Limit Maximum SSL VPN Sessions Per Group-policy On ASA5510

Nov 25, 2012

How to limit maximum SSL VPN sessions per group-policy on ASA5510?
There are 2 group-policy: in one maximum of 10 connections, in the second - 15 (In total licenses for SSL VPN 25 connections).

View 5 Replies View Related

Cisco AAA/Identity/Nac :: Restricting User Sessions In ACS 5.1?

Jul 26, 2011

We are using ACS 5.1 in our network. We have created users and grouped them as per the requirements. We want to restrict the user sessions in the network. A user should authenticate and able to access a network resource. But when he is active with that session, we need to block him from another successful authentication. We want to avoid multiple users using same user credentials for logging into the devices. whether this can be achieved by making configuration changes in ACS.

View 2 Replies View Related

Cisco VPN :: DS3 - Limit Number Of Active IPSec Connections Per Host

May 18, 2011

I have a hub and spoke network with over 100 remote sites that connect to me via ipsec vpn. One of these locations, the only one using FIOS coincidently, is initiating 200+ tunnels back to my side which is causing saturation issues on my DS3. (I can post config if requested), and how can I limit the number of active tunnels it's establishing?

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 Doesn't Purge User Sessions When VPNs Terminate

Feb 2, 2012

we use an asa5520 like vpn termination point, asa uses acs5.3 for authentication purpose, and all seems to work properly,but acs5.3 doesn't purge user sessions when vpns terminate; I can see many user "logged-in" into menu System Administration --> Users --> Purge User Sessions; this is a problem, because we have configured max session per user how can avoid this problem? is there any new configuration to implement into asa?
we need to configure max session per user, but there is only a global option applyed to all can we configure user accounting? we need to know how long a user is connected via vpn session.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 - Create Microsoft Active Directory (AD) Identity Store?

Jul 11, 2011

We are using ACS 5.2 and we are trying to create a Microsoft Active Directory (AD) Identity Store. We have a user to be used in the Active Directory creation General page and we would like to know how the test communication / ACS to AD communication takes place.
Our user is a predefined user in AD and has admin rights, but the password expires every 60 days. Will this affect the communication between AD and ACS 5.2 at everytime the entered user's password expires?

View 2 Replies View Related

Cisco AAA/Identity/Nac :: Limit AD Authentication With ACS 5.3

Feb 23, 2012

I need to limit to some AD groups, authentication with ACS 5.3.For example, i need that only users os are authenticatet via ACS --> ADS.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: Login Limit Through ACS 5.0?

Jun 1, 2013

Few days ago in my wireless infrastrucer i deploy Cisco ACS 5.0 with Active directory integration. My wireless users are login through web authentication process. The authentication process is passed by AD & its working fine. But i want to do a work on my ACS 5.0 that a user cannot login simultaneously multiple device at a time.

View 21 Replies View Related

AAA/Identity/Nac :: ACS 5.2 With Active Directory

Mar 7, 2011

I have installed ACS 5.2 and configured it to join the Company's Domain as an External database with Active directory 2008. I'm facing a problem that the user once authenticated using it's active directory account it's cached in the ACS and take a while for the ACS to clear this username. For example, if user TEST authenticates and then we removed this user from the AD and then tried again; it authenticates although this users is removed from the AD !!! same thing happens when we change the user group on the AD, it takes a while for the ACS to clear the old user attributes and get the new ones from the AD.
it there an aging time for this caching mechanism, or can i clear the dynamic users manually just like in ACS 4.X ?

View 3 Replies View Related

Cisco AAA/Identity/Nac :: How To Limit Config Actions With ACS 5.3

Mar 6, 2013

Seems to me that regardless of the command set that once you allow a user into Config mode all bets are off. I want to allows certain users only certain actions (like assinging ports to a different vlan) but once in Config mode none of them matter, and the user has free reign.
1. Is it even possible to restrict which commands a users has under Config mode?

2. If so, is there a specific way withing ACS 5.3 or on the router/switch itself that this needs to be defined?

View 1 Replies View Related

Cisco Firewall :: ASA 5520s From Active / Standby To Active / Active

Jul 17, 2012

I have a pair of ASA 5520s operating in failover pair as active/standby, having two contexts on them. I am planning to share the load and make it active/active making first context active on the primary unit and second context active on the secondary unit. My question is if this will disrupt any connectivity thru these firewalls when I do "no failover" on the active/standby and assign the contexts to different failover groups and enable the failover back.

View 6 Replies View Related

Cisco AAA/Identity/Nac :: Active Directory And ACS 5.3 Failure?

May 21, 2012

I am receiving a RADIUS authentication failure stating user must change password; however, password has been changed in AD and is not requiring change password any longer on the AD side.
Is there a cache on the ACS that needs to be cleared? AD connection from ACS to domain is fine.  All other accounts authenticate.
It appears that if a user lets their account expire is when this happens.  Account has been reenabled in AD and password has been changed.  Still will not authenticate via ACS.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: Active Directory Integration Acs 5.1?

Aug 24, 2011

I'm attempting to integrate an acs 5v into the domain through the gui. The connection will establish, and the status will read 'connected', just as it lists the domain I've submitted. However, I can't seem to find anything listed under the directory groups, and when I run a connection test, I simply get 'Global Catalogue port status error.' Eventually, I'd like to configure this as a radius server.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: 802.1x / ACS In The Active Directory Environment?

Nov 9, 2011

question 1. in the typical active directory environment and doing wireless/wired 802.1x authentication on endpoints, should ACS join as a domain computer? 
question 2. for the endpoint (domain computer) join the domain, in this case is the endpoint will trust the ACS ( also domain computer) ?
question 3. what if there's a GPO policy to install the rootCA certificate toward the endpoints. In this case,  ACS should issue the CSR and let the domain CA to signed as the identity certificate? Am i correct?

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 Does Not Check Active Directory Changes

Oct 13, 2010

I am working with ACS 5.2 and using Radius authentication for vpn client.
The authentication method used is Active Directory in an Windows enviroment with multiple domains in the same forest.
My problem occurs when i change a user from one group to another in Active Directory. After that i receive the following message when try to connect:
15039 Selected Authorization Profile is DenyAccess
The message is because match the default policy. Another user in the same AD group works fine. All domain in the forest have trust relation each other. I am using universal groups to include users from all domain belongs this forest.

View 4 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 Active Directory Integration

Apr 24, 2012

A customer uses Active Directory where some group names contain special characters (ç ~ '^). The Cisco ACS 5.2 is presenting the warnings: "Not all Active Directory user groups are retrieved successfully. One or more of thegroup's canonical name was not retrieved "(Category CSC Oacs_ Identity_ Stores_Diagnostics; code 24457).

What are the results of these warnings to the customer's network? Slow? Loss of access?

View 1 Replies View Related

Cisco AAA/Identity/Nac :: Integration Of ACS 4.2 And MS Active Directory

Oct 21, 2010

configure the Cisco ACS to authenticate the users from MS Active Directory. Cisco Acs = 4.2.1(15)Currently, i have multiple users configured as local databse. but now i want to authenticate with the domain users.

View 11 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 Limit AAA Authentication For Certain Users By Source IP

Jul 1, 2012

we have TACACS+ based AAA on our network equipment, authenticating against internal user database on a network of ACS 5.3s.What I want is to limit certain AAA users (namely automated tools) to be only permitted to authenticate from a list of known IPs.I can do this for authorization, easily, that isn't a problem. The problem is to only accept authentication attempts coming from certain IPs and ignore the rest. My problem is, as it is currently, the automated tools are prone to a sort of a DoS attack - if I attempt logging in to any device using the tool's user account and a wrong password, I can get the account disabled in five tries.
I want to ignore all authentication attempts, unless they are coming from well known source IPs.Ex: netmon user is the user for a tool running on server If I try to log in from my own laptop with user netmon, it should fail, and the attempt ignored. Currently after five (or whatever is configured) failed attempts, the user will be disabled. Oly attempts from should be considered for user netmon.I can't use ACLs on the devices, as I want other users to be able to log in from other IPs.

View 4 Replies View Related

Cisco AAA/Identity/Nac :: Use Two Servers ACS 5.2 In (primary And Secondary) Active?

Jun 16, 2011

it is possible de use two servers ACS 5.2 (primary and secondary) in active/ active? or just in active/ passive?

View 3 Replies View Related

Cisco AAA/Identity/Nac :: Authenticate ACS 5.2 Administrators To Active Directory?

Mar 21, 2011

Rather than maintaining local accounts is it possible to authenticate admins against AD?  I'm talking about administrators of the ACS server itself to be clear.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 Active Directory Users Cache?

Jun 9, 2013

I've successfully integrated ACS 5.3 with Active Directory for 802.1x implementation. Now i want to cache Active Directory users in ACS so that the user request from ACS does not go to AD every time.
After a certain time period the ACS database gets sync with AD.

View 3 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.1 Active Directory No Administrator Account

Jul 14, 2011

I can add a ACS 5.1 to an Active Directory without using the administrator account, I have a domain administrator account by another name. I can use this account to include the ACS domain.
I have a account domain admin but when i try to add the ACS to AD have this message "can not resolve network address"
The DNS and network connectivity its OK

View 1 Replies View Related

Cisco AAA/Identity/Nac :: Good Guide For 802.1X With ACS 5.2 With Active Directory

Sep 6, 2011

if someane has a good guide for 802.1X with ACS 5.2 with Active Directory.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 4.1 For Windows With Active Directory 2008

Sep 26, 2010

We are still running ACS 4.1 on Window 2003 server.  We recently upgraded AD to 2008 although the domain and forest functional level are still 2003.  After AD upgrade we now unable to authenticate via ACS Windows Database.

View 13 Replies View Related

Cisco AAA/Identity/Nac :: 5508 And Active Directory Integration Using EAP?

May 24, 2011

I have just recently purchased a 5505 Controller and 30 3502i AP's. On my main corporate WLAN, I would like to allow users to be able to authenticate via Active Directory username and password.I am also looking for as little client side set up as possible. From what I have researched, I will need to use some type of EAP method.
I have come across two methods that appear to be the top contenders.
EAP-FAST - The method seems to be a possibility but I see that it uses certificates. If I use this method, does it mean that I would have to import the certificates to each machine manually? Also, can I configure thsi to work with just the 5508 Controller and an AD Database server or do I need an intermediary like IAS or ACS?
PEAP/GTC - This method is also a possibility and I think that it does not require certificates. Does this also require an intermediary like ACS or IAS.

View 3 Replies View Related

Cisco AAA/Identity/Nac :: ACS Memory Utilization Limit With CSACS 1121

Aug 21, 2012

We have 2 CSACS 1121 with Cisco ACS The primary server manages 20000+ authentications per day. Its memory utilization increases everyday. It is now at 83% , there a limit?,What will happen when memory utilization reach this limit?,What can we do to purge memory utilization? (reboot, service restart.

View 11 Replies View Related

Cisco AAA/Identity/Nac :: ACS 4.2 Configuration With Windows 2003 Active Directory?

Apr 22, 2011

i have installed system (Windows Server 2003) and i have configure Active directory for testing and configure one user under it ( TEST01)now on the same machine i have installed Cisco ACS 4.2.i'm trying to Authenticate (TEST01) using ACS but it's not working, i can't even see the logs under EVENTVIWER.  simple and easy to configure since both AD and ACS is on the same machine.

View 4 Replies View Related

Cisco AAA/Identity/Nac :: Change Username In Active Directory Configure In ACS 5.3?

Mar 15, 2012

I need to change the username and password ACS uses to connect to AD.   I do a "clear configuration" and reboot and am unable to join the ACS appliance back into my AD with a different username and password.  I am able to rejoin the ACS machine to the domain using the original username and pass. how to clear all of the AD config off of the appliance and start fresh and use a new account to join AD?

View 3 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 Couldn't Establish Connection With Active Directory

Feb 7, 2012

customer provide quite large network with dot1x deployment - there is dual ACS5.3 servers for authentication Wired, VPN and WiFi access. Users (and computers) are mostly authenticated against Active Directory - there are several AD servers in the network.I found there is tens of cases every day with error message:24401 Could not establish connection with ACS Active Directory agent.This happens in random day and night time regardless on current authentication load. how to diagnose this more deeply? Or where to look for – is it problem with internal communication with AD Agent or is the problem in communication AD agent to AD servers? How is solved redundancy in case one AD server is not accessible – as there is no such setting in the AD connection configuration in ACS.

View 9 Replies View Related

Cisco AAA/Identity/Nac :: Using Active Directory Users To Manage ASA 5510?

Dec 28, 2012

I know that our VPN users currently use Active Directory to authenticate their VPN sessions, so now I'm wondering if there is an easy way to configure my company's Cisco ASA 5510 to use either a Windows Server 2008 R2 Active Directory group (preferred method) or specific Active Directory users (less preferred) and authenticate them for management access (privilege level 15) using their Active Directory credentials. I do not want this to change the IP range used for ASDM/HTTPS/Telnet/SSH access (currently all local networks, no VPN), as those are settings that my company does not want changed.

View 5 Replies View Related

Copyrights 2005-15, All rights reserved