Aaa network access limit user session

Similar Messages

• Limit user session in ADF security

  I want single user work in web application only with a single session at any time. How can I limit user sessions?

  Hi,
  +1. How can I override ADF security (based on JAAS) credentials checking mechanism j_security_check ?+
  Why do you want to override this?
  +2. How can I store users log-in log-out information in database? Which classess and which methods must be overriden? Can you show code sample of your realisation, please?+
  Authentication is not handled by ADF but WebLogic Server. If you want to track database login information you will need to write a custom JAAS Login Module and configure it as an authentication provider in WLS
  How can I check if user closed browser?
  I would use a temporary cookie with no lifetime. This way, when the browser is closed, the cokie is unavailable, indicating that the user is good to login again. However, this then allows users to start 2 sessions using different browsers (again something you would need to check)
  Frank

• CISCO ACS, How to Limit User Session ?

  Hi Guys,
  hope you would help me,
  how to limit the user session in ACS 5.x ?
  i'm aware the menu on
  Access Policies >Max User Session Policy > Max Session Group Settings
  i already set the global value to 1, Max Session for User in Group to 1, and Max Session for Group to 1.
  so it means the user only could open 1 connect at the same time right?
  the problem, it didn't works.
  i had 1 ACS 5.5
  2 CISCO Cisco IOS Software, 3700 Software (C3725-ADVENTERPRISEK9-M), Version 12.4(15)T13, RELEASE SOFTWARE (fc3)
  (let's call it R1 and R2 )
  i'm trying to telnet both of them at the same time, and it works ( it means the session limit didn't works, cmiiw )
  i already include :
  radius-server attribute 44 include-in-access-req
  radius-server host 192.168.217.98 auth-port 1645 acct-port 1646 key somekey
  on the line vty :
   accounting connection acs
   login authentication acs
  am i missing something?
  also, is this feature works on tacacs+ too?
  Thanks,

  Dash,
  You can leverage the group mapping feature where members of a certain AD group are mapped to a local group in ACS with the max sessions defined.
  http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-3/user/guide/acsuserguide/access_policies.html#pgfId-1162308
  Thanks,
  Tarik Admani

• Controlling network access for user accounts

  Can anyone suggest a way to control airport access to a wireless network?
  I have an iMac G4 with AirPort running Tiger that I'd like to set up for a young teen to practice doing some video editing. I'd like to have network access disabled under normal circumstances, but be able to enable it easily during times when there is supervision.
  Ideally, I'd like to have the airport icon in the menubar and select a network to join causing a prompt for an administrator password. I can't seem to get anywhere close to that. Any help would be appreciated.
  Thanks.

  Thank you for your quick response.
  5. Click the checkbox under Require Administrator
  password to:
  The two choices I have are:
  - when changing networks
  - when creating a computer-to-computer network
  The first almost gets me what I want, there are two problems with this as I see it.
  1. when the computer comes up and automatically logs in, the user is greeted by authentication dialogs. (AirPort trying to connect?) I'd like to configure AirPort not to automatically try to connect and therefore not produce these dialogs.
  2. once approved, the network stays approved until the next reboot. I'd like to not be forced to reboot just to "lock down" the network again.
  Any help on those two points?

• Aaa network access restrictions with secure authen (asa device)

  Hi all,
  I've been reading a lot about how to configure the cut-through-proxy to allow certain network traffic only after being authenticated. The procedures seem pretty straightforward when using plain telnet or ftp (works pretty good).
  However, doing so securely seems to be a bit more "fuzzy".
  I don't like the idea of authenticating users over clear text telnet or ftp, and https has its own issues (weird timeouts that i can't seem to figure out).
  Is it not possible to simply log in to the ASA (or whatever) device securely (ssh?), to authenticate and authorize other network traffic?
  I see people talking about ssh not being proxy-able. I do not want to "proxy" the ssh connection, i just want to tell the ASA:
  "Hey, this is me, allow me this (acl) traffic when i'm coming from this IP address, for X minutes or untill i log off again. Please.".
  Sounds simple to me. :-)
  Perhaps i'm looking at the wrong thing? Perhaps i do not need the cut-through-proxy for this?
  I've been looking at articles like this:
  https://supportforums.cisco.com/docs/DOC-14842
  And some of Cisco's ASA AAA articles, like this:
  http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_fwaaa.html
  They all pretty much seems to do what i want, except that they seem to want to "proxy" my traffic for some reason, and authenticate me in clear-text.
  Do i have any other options? Like logging on directly to the device to do the authentication?
  Using fixed or named access lists or even downloadable access lists doesn't really matter, i would just like a secure way of activating those access lists.
  I'm currently investigating my options, like using a VPN client or script some acl injection, but that just sounds so disturbing.
  Thanks a lot.
  /Sune T.

  I have never done it with Cisco ACS so I can not offer much support on this.
  However, I've done it many times on Cisco Freeware TACACS+ and it is very easy.
  1- in Cisco Freeware tacacs, include "max-session = 1" under either the user
  profile or group file definition.
  2- in the router itself, you need to enable "ip finger". This will allow the
  TACACS+ server to querry the router everytime there is a new attempt to loggin.
  If you already have a session to the router, TACACS+ server will see this and
  reject a new session for that same user. If the login ID is different than what
  is already connected to the router, it will then be accepted:
  C7140#who
  Line User Host(s) Idle Location
  0 con 0 idle 11w2d
  * 2 vty 0 cciesec idle 00:00:00 192.168.15.9
  Interface User Mode Idle Peer Address
  C7140#
  Now if user "cciesec" tries to login again through another session, it will
  be rejected by the TACACS server:
  [root@LinuxES-lab1 root]# finger @192.168.15.1
  Line User Host(s) Idle Location
  0 con 0 idle 11w2d
  2 vty 0 cciesec idle 00:04:00 192.168.15.9
  * 3 vty 1 idle 00:00:00 192.168.128.100
  Interface User Mode Idle Peer Address
  [root@LinuxES-lab1 root]#
  Easy right?

• Access to Users Session data in a Filter

  Is there a way to get access to a user's session data inside a Servlet Filter? I see you have access to the Servlet Context, but that doesn't include the getSession() function. How would I do this?
  Thanks

  Its pretty straight forward to get the session from a filter
  public void doFilter(ServletRequest request,ServletResponse response, FilterChain chain){
  HttpServletRequest req = (HttpServletRequest) request;
  HttpSession session = req.getSession(true);
  }

• Network Access Manager - Service (Secure Mobility Client)

  We are currently working on Deploying the Secure Mobility Client.
  1. We are looking at the ability to stop the Network Acess Manager without Admin rights, According to the Cisco Documentation on this:
  "Stopping and Starting the Network Access Manager"
  Users with local administrator privileges can start and stop the Network  Access Manager. Users without local administrator privileges cannot  start and stop the Network Access Manager without using the service  password defined in the Authentication panel of the profile editor.
  Question: I am unable to find the said option in the Authentication panel in the profile editor
  2. Since we will be using NAM for all of our computers, and since some users will not be using the VPN, we will need to push out profiles to the users (This is easy however we are concerned about updates and getting those pushed). A collegue shared that he head at Cisco Live2011 that there is an option in NAM to update it's profiles by connecting to the VPN-Headend without actually authenticating and logging into the VPN.
  I know if a user connects to the VPN Headend we can update the profiles on NAM/VPN etc... however without them connecting I'm not sure if there is any way to do so?

  Hi Alwin,
  There is nothing to be done with your anyconnnect client.... if needed changes needs to ne done at VPN FW/Router where your anyconnect connection is established..... here i guess your corporate office is having this VPN server.....
  They have configured it as tunnel all mode... means all traffic will be taken through VPN... see from your output preferred default route is pointed to 192.168.0.101, which is a vpn gateway....
  If needed anyconnect vpn configuration needs to be changed from tunnel all to split-tunnel....
  Active Routes:
  Network Destination Netmask Gateway Interface Metric
  0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.101 20
  0.0.0.0 0.0.0.0 146.236.12.1 146.236.12.73 2
  Regards
  Karthik

• Maximum Number of Concurrent User Sessions Limit?

  Please can you tell me if there is a limit for the maximum number of concurrent users sessions that can access the Portal? If so, where is the setting and how do I change it?
  By the way, I am not experiencing any issues; I am asking purely for information purposes
  Thanks.

  There used to be under one of the services in service configuration.  I thought it was under portal runtime, but I can´t see it now.  It mentioned it in the TZTEP1 course, but I haven´t got it with me.
  Having said that, I don´t know if it worked!
  Paul

• HR User, REST example - network access denied by access control list (ACL)

  Hi,
  I am new to APEX and am running the 'Oracle Developer Days' vm. I'm logged into APEX as the default HR/oracle account and I've been following the 'Creating and Using a RESTful Web Service in Application Express 4.2' training video, however when I try to retrieve information by entering a dept no. and clicking submit I get:
  ORA-29273: HTTP request failed ORA-06512: at "SYS.UTL_HTTP", line 1130 ORA-24247: network access denied by access control list (ACL)
  I've seen the following thread:
  ORA-24247: network access denied by access control list (ACL)error-UTL_HTTP
  and I've tried running the command:
  GRANT EXECUTE ON SYS.UTL_HTTP TO HR;
  but I'm not getting anywhere, presumably the HR user does not have permissions to access 'http://localhost:8888/apex/hr/employee_test'
  Any help much appreciated, also if this is the wrong forum for this question please let me know.
  Many Thanks

  Hi,
  Thank you for the link; I executed the first block of code to 'grant connect privileges to any host for the APEX_040200 database user' that did not work so I changed the user to HR within the code and re-executed and that seems to have done the trick. I guess the HR user is now in the power_users list/group?
  Thanks again!

• Can you limit the amount of data accessed per user on an AirPort Extreme?

  Can you limit the amount of data accessed per user on an AirPort Extreme?

  Your question was whether the AirPort Extreme is able to establish data limits per user.
  If you add another router that has this type of capability or install software on another router, then you will be able to establish data limits for each user. The AirPort Extreme will have no control over this.

• ACS User Group Network Access Restrictions

  Hi to all,
  We have a problem trying to restrict the access for users to an acces point: All users in any group can access the access point, although the group has a network restriction whichs restricts this access.
  We have other restrictions which work perfectly. So we are beginning to think that this must be a problem in the access point (Cisco Aironet 1100)...
  Thanks in advance,
  Coloma Crespí

  Hi Andrew,
  Thanks a lot for your reply. I was really worried about this problem, I had tried everything to solve it and anything worked...
  Regarding what you say, the network access restrictions we have created are the generic ones. I don´t have the option to choose between a dialup or telnet restriction. Where is it? Can you give more detailed information, please?
  Thanks in advance,
  Coloma Crespí

• SA520 web access problem, all admin users sessions appears active when it is not true

  Hi, all the users for the management access to my SA520 are blocked via web, all the admin users sessions aparently they seem active, and when i do click on the "continue" button these sessions does not terminate. I guess i have to reset the firewall, but my question is if anybody has the same problem with this device.

  Hi Luis,
  What firmware version are you running? How frequent do you see this occurrence?
  If  possible, when you start to see this issue before all the admin sessions are reporting active,can you provide us the debug logs from your SA  520 so that I can forward to the development  team to investigate?  We are tracking an issue with a customer, but his device takes 3-4 months to show the symptoms you describe.
  To get the dbglog from SA520, login through web UI and in the browser enter the following URL:
  https://LAN_IP_address_of_SA520/scgi-bin/dbglog.cgi        
  These logs will store password, so please remove any sensitive information and passwords. Also if you are not comfortable posting the dbglog on the    community, you can send it directly to me through private message.
  Best regards,
  Julio

• Network Connection Properties Access Standard Users

  Hi All,
  I know this is an old issue but i just cannot get it going i've read a couple of forum posts but i don't know whether i am still doing it correctly.
  I am trying to allow domain users to change their network connection properties to allow change of ip addresses as it is slightly different between our 2 offices locally. 
  So i have added the users in to the network configuration operators group and also i have disabled the UAC as
  follows

  Hello again,
  Is NetworkOP a Security group?
  Also have you checked the client's PC and verify if the following group is added in Network Operators group?
  Do you see any errors in RSOP.msc when you try to see the applied policy?
  Please try to logon with different users in NetworkOp group and check if they have access or not?
  Do you have any other policy related to prevent access to network properties?
  User configuration \ Administrative templates \ Network \ Network Connection is a case in point.
  Another step is to make sure the Network Operators group itself is operational, so please create a user locally (Not Administrator) and add it to the Built in Network Operators group and see if they have access to properties.
  Regards.
  Mahdi Tehrani Loves Powershell
  Please kindly click on Propose As Answer or to mark this post as
  and helpfull to other poeple.

• Network Access Module and Switching Users

  We are working on implementing 802.1x and plan to use AnyConnect NAM on the PCs. However, I’ve run into a problem where we have a few multi-user machines for employees who work in multiple locations throughout the day. It’s not uncommon for someone to lock the PC they are working on and walk away. Prior to NAM, a second user could come along and log in as themselves, leaving the initial user logged in. However, I’ve found that once NAM has been installed this user switching feature is disabled. This is understandable, as the initial user technically hasn’t logged out, so the port is still authenticated with their credentials, and we wouldn’t want to accidently break a connection stream just to reauthenticate the second user.
  I have spent quite a bit of time going through these forums and white papers trying to find an alternative solution for this situation, but haven’t had much luck. Does anyone have any suggestions on how I could proceed on this?

  wireman wrote:
  I run Access Connections 4.42 as default for configuring network access on a T61with XP SP2. When two users are logged in Access Connections fails with: Access Connections is being used by another user.
  A lurker reviewed this and sent back this message:
  "Fast User Switching.  Since the first user doesn't actually log off, any attempt to use Access Connections by the second user will result in the alert referenced in the post.  It's working as designed."
  English Community   Deutsche Community   Comunidad en Español   Русскоязычное Сообщество
  Jane
  2015 X1 Carbon, ThinkPad Slate, T410s, X301, X200 Tablet, T60p, HP TouchPad, iPad Air 2, iPhone 5S, IdeaTab A2107A, Yoga Tablet, Yoga 3 Pro
  I am not a Lenovo Employee.
  I AM one of those crazy ThinkPad zealots!
  If you find a post helpful and it answers your question, please mark it as an "Accepted Solution"!

• Implementing max user sessions settings for TACACS with ACS 5.3

  I'm a little confused about the configuration of max user sessions for device administration with TACACS.
  When I've changed the configutration of unlimited sessions for a value in Access Policies > Max User Session Policy > Max Session User Settings
  I think this value could limit the maximum number of sessions for each user, but instead this value limit in a global meaning all of my sessions.
  For example: I need to limit the session for my users in 2.
  user1 = Max 2 sessions
  user2 = Max 2 sessions
  user3 = Max 2 sessions
  Whe i Put the value of 2 in Max Session User Settings
  user1 + user2 + user3 = Max 2 sessions
  This is a limitation of ACS 5.3 or my configuration needs something aditional.

  Luis,
  Are you saying that when you authenticate with user1 and user 2 that user3 isnt able to get access?
  Do you have tacacs accounting enabled on the network access device?
  Also what do you have configured for the group settings? If there is a maximum group setting and all the users are a member of the same group then the lesser of the two will be enforced. So if the group max sessions is set to 1 then the all users in that group will have a max session of 1.
  Here is some reference material.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/access_policies.html#wp1162177
  Thanks,
  Tarik Admani