ACS 5 Limit User Simultaneous Logins

Similar Messages

• How to stop ACS intergated AD users to login in AAA clients(network device)

  I have ACS 4.2 Appliance which is integrated with Active directory.
  AD users are able to login in network devices. Is there any so that I can stop AD user and other local users to login in AAA clinets (network devices).

  These types of configurations are a two-way street. ACS must be configured to actually perform the authentication/authorization, and the AAA clients must also be configured for authentication/authorization. I would look at the AAA client configurations, first.
  What kind of AAA clients are we talking about? Cisco switches, Cisco WLC's? Swicthing gear from other companies?
  For Cisco switches, lines like the following will tell them to use your ACS server for administrative user auth (RADIUS ro TACACS+, respectively):
  aaa group server radius rad_admin
  server xxx.xxx.xxx.xxx
  aaa group server tacacs+ tac_admin
  server xxx.xxx.xxx.xxx
  If your AAA client is a WLC, then you need to uncheck the "Management" box where the RADIUS server is defined for authentication (Security -> AAA -> RADIUS -> Auth).

• Limit # of simultaneous logins?

  Is it possible (or even practical) to try to do this?
  My client wants *light* security on a series of pages, and
  would like to
  have two categories of passwords -
  1. A single user, i.e., no simultaneous logins.
  2. A group user, i.e., multiple simultaneous logins, up to
  but not beyond,
  some ceiling.
  With PHP/MySQL is this feasible?
  Murray --- ICQ 71997575
  Adobe Community Expert
  (If you *MUST* email me, don't LAUGH when you do so!)
  ==================
  http://www.dreamweavermx-templates.com
  - Template Triage!
  http://www.projectseven.com/go
  - DW FAQs, Tutorials & Resources
  http://www.dwfaq.com - DW FAQs,
  Tutorials & Resources
  http://www.macromedia.com/support/search/
  - Macromedia (MM) Technotes
  ==================

  I can't speak for the PHP universe, but principles tend to
  translate so I'll
  take a shot anyway.
  In ASP, you've got session_onstart and session_onend in your
  global.asa
  file. Obviously, if the user does not log out and just closes
  the browser,
  the session will remain active until it times out, but
  session_onend will
  run regardless of how the session is ended. The
  session_onstart and
  session_onend can be used to edit application variables
  (which are truly
  global and only fall out of scope when IIS is restarted). The
  application
  variable might, for instance, be named after the user ID and
  contain the
  number of current active sessions. Session_onstart is set to
  create or
  increment; session_onend is used to decrement.
  In the case of a user closing the browser, you'd have a login
  unavailable
  until the session timeout is reached. Typically, explaining
  this to users
  is good enough and everyone understands that if they make a
  mistake (or have
  the computer crash or something), they may need to wait 20
  minutes before
  they're allowed to log in again (assuming you're using the
  default 20 minute
  timeout). As long as it's known up front and not a nasty
  surprise, people
  are generally understanding.
  I don't think PHP has application variables, but you could do
  the same with
  a text file or a database table (with the bonus that a
  database table can be
  used to store session ID, login, logout, etc and give you all
  kids of
  history info). The crux of the matter is finding out if a PHP
  application
  has the equivalent of a global.asa and/or session_onstart and
  session_onend
  event handlers that are handled by the web server and not any
  particular web
  page. Sorry I can't be of more help there.
  "Murray *ACE*" <[email protected]> wrote
  in message
  news:[email protected]...
  > That was exactly what I told her.
  >
  > So - how would you approach this problem, then? One
  solution is to
  > monitor simultaneous logins, and that clearly is
  impractical.
  >
  > How would you enable 'group' access if not this way?
  >
  > --
  > Murray --- ICQ 71997575
  > Adobe Community Expert
  > (If you *MUST* email me, don't LAUGH when you do so!)
  > ==================
  >
  http://www.dreamweavermx-templates.com
  - Template Triage!
  >
  http://www.projectseven.com/go
  - DW FAQs, Tutorials & Resources
  >
  http://www.dwfaq.com - DW FAQs,
  Tutorials & Resources
  >
  http://www.macromedia.com/support/search/
  - Macromedia (MM) Technotes
  > ==================
  >
  >
  > "Gary White" <[email protected]> wrote in
  message
  > news:[email protected]...
  >> On Thu, 6 Sep 2007 10:38:10 -0400, "Murray *ACE*"
  >> <[email protected]> wrote:
  >>
  >>>With PHP/MySQL is this feasible?
  >>
  >>
  >> Not really. Because some users may simply close the
  browser instead of
  >> logging out, you have no reliable method to
  determine who or how many
  >> may still be logged in.
  >>
  >> Gary
  >
  >

• Multiple Users Simultaneous Login

  Does anyone have a way of simultaneously logging in multiple computers with different usernames and possibly passwords. I have found Unix commands for doing this with a single user account, but not multiple. All machines would be running X.4.9 with ARD 3.1
  Thanks,
  Chuck

  Sorry, but I'm not clear on what it is you're asking regarding "multiple computers with different usernames". Could you please explain further what it is you're trying to accomplish?
  If what you mean is that you want to have some computers logged in with User A and other computers logged in with User B, then you have to do this with separate UNIX commands. But if you want to be able to do this with a single operation, you could set up an Automator workflow so that it executes the separate commands from a single script. If that's not what you mean, please post back and clarify.
  Regards.

• Limit user login in multiple RODC

  I have 2 RODC and a RWDC.i prepopulate some password on RODC1 And Some on RODC2 cache database. i already read this article http://www.frickelsoft.net/blog/?p=232
  I want to limit user login in multiple RODC.(for example user1 can not login to os in different RODC).
  So i want to know is there is a way to limit user to login just from its RODC cache database not RWDC active directory?(i want user in RODC1 cant not login to RODC2.How can i do this?)

  Hi,
  Do you want to restrict users from logging into a client computer that belongs to another site? Or do you want the users to get authenticated only to the RODC's where their credentials cached? 
  If you configured your sites and services properly the clients will choose the DC belongs to their own site and subnet. DC locator is the service name which is responsible for assigning a logon DC to the client.If the DC's are in different sites you
  can configure the sites and services to point the client to correct DC in a site. AD authentication always distributed based on the sites and services you configured.
  You can configure ldapsrv records to authenticate against specific DC.
  RODCs do not register Domain Name System (DNS) general records (records that are associated with the domain itself and not with a specific site), as read/write domain controllers (RWDCs) do. This is the default behavior of RODCs. Although you can tune an
  RODC to register DNS general records, we recommend that you not change the default behavior.
  The main impact of RODCs not registering DNS general records is that a client computer cannot find an RODC in its site without reaching an RWDC (that is, a domain controller that registers the general records) if the client computer does not have a record
  for the name of the site where the client computer is placed.
  Source: Placing Several RODCs in the Same Site
  http://technet.microsoft.com/en-us/library/ee522995(WS.10).aspx
  Domain Controller Locator : an overview
  http://blogs.technet.com/b/arnaud_jumelet/archive/2010/07/05/domain-controller-locator-an-overview.aspx
  LdapSrvWeight & LdapSrvPriority
  http://blogs.dirteam.com/blogs/carlos/archive/2006/05/10/How-to-lessen-your-PDC_1920_s-load.aspx 
  http://technet.microsoft.com/en-us/library/cc816793%28WS.10%29.aspx 
  Regards,
  Rafic
  If you found this post helpful, please give it a "Helpful" vote.
  If it answered your question, remember to mark it as an "Answer".
  This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!

• Issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

  issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

  issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

• Block simultaneous logins by the same user on wired 802.1x

  Is it possible to block simultaneous logins by the same user, meaning is userX login on port gi1/0/1 and after that the same user (UserX) is trying to login on a different port, it will be blocked.

  Sorry I did not read your original question correctly. So at the moment, you can only restrict the number of concurrent connections for users that are only going through the web authentication process. If you are using EAP-TLS, PEAP, etc, then there is no method to restrict those users from performing multiple authentications on the network.
  Thank you for rating helpful posts!

• Restrict simultaneous login to a web dynpro application by the same user

  I have a stand alone web dynpro application and used the sap.authentication for user to login into the application. How can i restrict a user from accessing the application from two different browsers using the same userid?

  Hi,
     You can try the following approach:
  1. Create an outbound plug to some dummy view which shows the message to the user that he/she is already logged in. Let's call this plug "ToMessageView".
  2. In the "wdDoInit" method of the component controller write the following code:
  String loggedInUserID = WDClientUser.getLoggedInClientUser().getClientUserID();
  String[] apps = WDServerState.getActualApplications(loggedInUserID);
  //All entries of apps will look like <application-name>/<application-id>
  boolean isRunningParallely = false;
  for (String app : apps) {
       if(app.split("/")[0].equals(wdComponentAPI.getApplication().getName())){
            isRunningParallely = true;
            break;
  if(isRunningParallely)
  //fire the plug to message view here
  FYI, I haven't tested this but do try it out.
  Regards,
  Satyajit

• Simultaneous Logins in VPN Concentrator

  Hi,
  The documents indicate that the 'Simultaneous Logins' applies for a single 'Internal User' .
  I have configured a User Group that utilises RADIUS as an authentication method. Was wondering whether the simultaneous login can be applied as well.
  SO what i'm trying to do here is let user authenticate via RADIUS. I want to limit only 1 session per UserID at a time.
  Any ideas ?
  If it cannot be done , what are the workarounds available ?

  There seems to be conflicting documentation regarding the function 'Simultaneous Login'
  In the main documentation
  http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a00803ee1f0.html
  It says Number of Simultaneous Login for a single User
  In the TAC KB
  http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K80154467
  It seems like they are referring to number of simultaneous connection within that group.
  So which is it ?

• WebAuth - Can one username/pwd be used by multiple users simultaneously?

  Is it possible to setup web authentication so that many users can share the same username/password?
  (Now before you tell me why this is bad and all that - I already know!)
  This is specifically for an application where the customer has hundreds of guest users coming in to a conference center each day and they want to be able to provide Internet-only access using the WLAN.
  They wish to restrict access to legitimate guest users only and wish to confirm user legitimacy with a simple username/password challenge to prevent unauthorized access to the WLAN.
  In an effort to reduce the effort to setup each separate guest user login for hundreds of users, the customer wants to setup only one username/password-of-the-week and have all legitimate guest users use that login info.
  So... my questions are:
  Will the WLAN user get an error if more than one user attempts to login to the WLAN using web authentication at the same time?
  If so, is there a setting that would permit multiple simultaneous login using the same username/password?
  Thanks,
  John

  Set the number of simultaneous logins to 0. My clients have done this and have not experienced any issues.

• Find out how many remote users are login in to my system.

  Hi
  i just want to know how many no of remote users are logged in to my system and their information.
  how can i restrict them. how to limit the remote connections.
  how many ftp user's are connected to my system.
  can any one send me documents which contain brief information for about questions.

  use rusers and finger commands to check the users remotely login
  form limitint the access of user u need to create $HOME/hosts.equiv and $HOME/.rhosts and making entry for those users who u want to allow

• How to limit number of logins per day?

  We have a custom web application (WebAS 6.20) used by people and automated systems. Each user has his own login, and some of these automated systems sometimes produce heavy load because they log into system too often.
  Is there an easy way to:
  1) limit number of logins to, say, 1000 per day and when this limit is reached - do not allow this user to login till midnight
  OR
  2) dedicate one of the processes to the specific user
  thanks in advance

  extend PlainDocument class to restrict the number of characters per line.
  Set this class as model to TextArea.
  Below is a class which does this. May be its useful
  import javax.swing.*;
  import javax.swing.text.*;
  import java.awt.*;
  public class FixedNumericDocument extends PlainDocument {
  private int maxLength = 9999;
  private String max="";
  public FixedNumericDocument(int maxLength) {
  super();
  this.maxLength = maxLength;
  //this is where we'll control all input to our document.
  //If the text that is being entered passes our criteria, then we'll just call
  //super.insertString(...)
  public void insertString(int offset, String str, AttributeSet attr)
  throws BadLocationException {
  if (getLength() + str.length() > maxLength) {
  return;
  else {
  try {
  //check if str is numeric only
  int value = Integer.parseInt(str);
  //if we get here then str contains only numbers
  //chk if it is less than 65535 so that it can be inserted
  super.insertString(offset, str, attr);
  catch(NumberFormatException exp) {
  return;
  return;

• Limit user session in ADF security

  I want single user work in web application only with a single session at any time. How can I limit user sessions?

  Hi,
  +1. How can I override ADF security (based on JAAS) credentials checking mechanism j_security_check ?+
  Why do you want to override this?
  +2. How can I store users log-in log-out information in database? Which classess and which methods must be overriden? Can you show code sample of your realisation, please?+
  Authentication is not handled by ADF but WebLogic Server. If you want to track database login information you will need to write a custom JAAS Login Module and configure it as an authentication provider in WLS
  How can I check if user closed browser?
  I would use a temporary cookie with no lifetime. This way, when the browser is closed, the cokie is unavailable, indicating that the user is good to login again. However, this then allows users to start 2 sessions using different browsers (again something you would need to check)
  Frank

• Why does more users can login as sysdba than specified in password file

  I have multiple databases using same password file which has five entries for sysdba, but i have more than five users who have sysdba right and all of them can simultaneously login as sysdba, can any one explain why

  How do your users connect ? You may have any number of users connected locally as sysdba. Local connections are authenticated by OS, no password file is used.
  Moreover, the five entries of password file have to be intended as DISTINCT users, but you may have a much higher number of connections.

• Not allow simultaneous login on managed computers using profile mangaer

  Does any one knows how to not allow simultaneous login on managed computers using Profile Manager instead of Workgroup Manager?
  Thanks in advanced

  Hi Folks
  First - thanks for your help.
  Closing this out - here is what I learned:
  1) Needed to ensure my server was Kerberised and that Kerebos was running correctly
  2) Local users have precedence over network so I need to ensure I don't use the same short name. While using the "id" command you may be able to see the network user ID, the local of the same name appears to take precedence.
  3) Using the "kinit" command useful for confirming Kerebos is working correctly
  4) Home directories created - had already done this but what finally got this working was stopping and restarting AFP Service.
  So was able to successfully login to Mac Client using OD username and password - it mounted the network home share just fine on the client, loaded preferences etc.
  Now on to create network users with Mobile Accounts for my laptop users - wish me luck