CISCO ACS, How to Limit User Session ?

Similar Messages

• Cisco ACS - HOW ARE INTERNAL USER'S RESTRICTED IN THEIR ACCESS TO RESOURCES

  Does anyone have any insight into this process. Please advise.

  Hi Eduardoaliaga,
  I believe that when we are using PAP as the authentication protocol, the ACS is able to strip the domian prefix. However, my side is using the PEAP MsChapv2 as the authentication protocol and I believe that the TLS tunnel is prevent the ACS from stripping the domain prefix/sufix. Thus, I have also posted another discussion on the issue of when the authentication protocol of PEAP MsChapv2 is used, ACS is not able to strip the domain prefix/sufix. Thus, would you be also able to advice on if that is correct. Please refer to the links below.
  1) https://supportforums.cisco.com/thread/2061835
  2) http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/eap_pap_phase_ps9911_TSD_Products_User_Guide_Chapter.html#wp1031191
  3) https://supportforums.cisco.com/message/3581951#3581951
  Thks and Rgds

• Limit user session in ADF security

  I want single user work in web application only with a single session at any time. How can I limit user sessions?

  Hi,
  +1. How can I override ADF security (based on JAAS) credentials checking mechanism j_security_check ?+
  Why do you want to override this?
  +2. How can I store users log-in log-out information in database? Which classess and which methods must be overriden? Can you show code sample of your realisation, please?+
  Authentication is not handled by ADF but WebLogic Server. If you want to track database login information you will need to write a custom JAAS Login Module and configure it as an authentication provider in WLS
  How can I check if user closed browser?
  I would use a temporary cookie with no lifetime. This way, when the browser is closed, the cokie is unavailable, indicating that the user is good to login again. However, this then allows users to start 2 sessions using different browsers (again something you would need to check)
  Frank

• How to Handle user Session in JSP

  Help me,
  How to handle user session in JSP.......

  Prakash_Pune wrote:
  tell me some Debugging tech. so i can overcome from my problem.....Do you use an IDE? Any IDE ships with a decent debugger where in you can just execute the code step by step, explore the current variable values and check what exactly is happening. For example Eclipse or IntelliJ. If you don´t use an IDE, then just place some System.out.println() or Logger.debug() statements at strategic locations printing the variables of relevance so that you can track in logs what exactly is happening.
  or tell any other way to find is my page is thread safe or not...Just write correct code and narrow the scope of the variables as much as possible. If you for example assigned the user object to a static variable or as a servlet´s instance variable, then exactly the same user object would be used everywhere in the application. That kind of logical things.

• Aaa network access limit user session

  Hi, I'd like to limit a user to one authenticated session in aaa network access, with ASA and ACS.
  Is tacacs+ accounting necessary ?
  thank you in advance
  RS

  I have never done it with Cisco ACS so I can not offer much support on this.
  However, I've done it many times on Cisco Freeware TACACS+ and it is very easy.
  1- in Cisco Freeware tacacs, include "max-session = 1" under either the user
  profile or group file definition.
  2- in the router itself, you need to enable "ip finger". This will allow the
  TACACS+ server to querry the router everytime there is a new attempt to loggin.
  If you already have a session to the router, TACACS+ server will see this and
  reject a new session for that same user. If the login ID is different than what
  is already connected to the router, it will then be accepted:
  C7140#who
  Line User Host(s) Idle Location
  0 con 0 idle 11w2d
  * 2 vty 0 cciesec idle 00:00:00 192.168.15.9
  Interface User Mode Idle Peer Address
  C7140#
  Now if user "cciesec" tries to login again through another session, it will
  be rejected by the TACACS server:
  [root@LinuxES-lab1 root]# finger @192.168.15.1
  Line User Host(s) Idle Location
  0 con 0 idle 11w2d
  2 vty 0 cciesec idle 00:04:00 192.168.15.9
  * 3 vty 1 idle 00:00:00 192.168.128.100
  Interface User Mode Idle Peer Address
  [root@LinuxES-lab1 root]#
  Easy right?

• How to check user/session generating a lot of archivelogs?

  Hi,
  On a 10g database, How do i look for the user/session that is generating a lot of archivelogs?
  thanks in advance,

  For currently connected sessions, you could query V$SESSTAT (joining to V$STATNAME). Thus,
  select s.sid, s.value
  from v$sesstat s, v$statname n
  where s.statistic#=n.statistic#
  and n.name = 'redo size'
  order by 2
  /However, there are a few complications :
  1. Persistent Sessions will show up with very high statistics, simply because they haven't disconnected. Many applications maintain Persistent Sessions for either of
  a. Monitoring and Running User Submitted or ScheduleD Jobs (eg in Oracle EBusiness Suite or Peoplesoft)
  b. Connection Pooling
  2. Sessions that have already disconnected will not appear in your report.
  Therefore, you'd have to "sample" sessions frequently and find the incremental redo size. Then, another complication hits you :
  c. Oracle reuses Session IDs. Once a session disconnects, another connecting session may get the same SID. It wouldn't get the same SERIAL# immediately so you might want to use a combination of SID+SERIAL# from V$SESSION as your key (you'd have to add V$SESSION into your monitoring query) Even then, I wouldn't guarantee that the pair wouldn't repeat after some time, particularly with instance restarts.
  You'd be better of using AUDSID from V$SESSION as that value is incremented (and not reused) by session auditing.

• How to check users session

  hi,
  I need to check user session like how much cpu a particular user consuming, user's session time and what activity he is doing(i.e. how many sql statement worked on and currently working).

  The below query will give you details on :
  SID/Serial, Foreground, Shadow, OS User, Ora User, User Module, Status Flags, Tran Active, Login Time, Last Call, Lock/Latch, Latch Spin, Current SQL stmt, Previous SQL stmt, Session Waits, WAITED Locks.
  set serveroutput on size 50000
  set echo off feed off veri off
  accept 1 prompt 'Enter Unix process id: '
  DECLARE
    v_sid number;
    s sys.v_$session%ROWTYPE;
    p sys.v_$process%ROWTYPE;
  BEGIN
    begin
      select sid into v_sid
      from   sys.v_$process p, sys.v_$session s
      where  p.addr     = s.paddr
        and  (p.spid    = &&1
         or   s.process = '&&1');
    exception
      when no_data_found then
        dbms_output.put_line('Unable to find process id &&1!!!');
        return;
      when others then
        dbms_output.put_line(sqlerrm);
        return;
    end;
    select * into s from sys.v_$session where sid  = v_sid;
    select * into p from sys.v_$process where addr = s.paddr;
    dbms_output.put_line('=====================================================================');
    dbms_output.put_line('SID/Serial  : '|| s.sid||','||s.serial#);
    dbms_output.put_line('Foreground  : '|| 'PID: '||s.process||' - '||s.program);
    dbms_output.put_line('Shadow      : '|| 'PID: '||p.spid||' - '||p.program);
    dbms_output.put_line('Terminal    : '|| s.terminal || '/ ' || p.terminal);
    dbms_output.put_line('OS User     : '|| s.osuser||' on '||s.machine);
    dbms_output.put_line('Ora User    : '|| s.username);
    dbms_output.put_line('User Module : '|| s.module);
    dbms_output.put_line('Status Flags: '|| s.status||' '||s.server||' '||s.type);
    dbms_output.put_line('Tran Active : '|| nvl(s.taddr, 'NONE'));
    dbms_output.put_line('Login Time  : '|| to_char(s.logon_time, 'Dy HH24:MI:SS'));
    dbms_output.put_line('Last Call   : '|| to_char(sysdate-(s.last_call_et/60/60/24), 'Dy HH24:MI:SS') || ' - ' || to_char(s.last_call_et/60, '990.0') || ' min');
    dbms_output.put_line('Lock/ Latch : '|| nvl(s.lockwait, 'NONE')||'/ '||nvl(p.latchwait, 'NONE'));
    dbms_output.put_line('Latch Spin  : '|| nvl(p.latchspin, 'NONE'));
    dbms_output.put_line('Current SQL statement:');
    for c1 in ( select * from sys.v_$sqltext
                where HASH_VALUE = s.sql_hash_value order by piece) loop
      dbms_output.put_line(chr(9)||c1.sql_text);
    end loop;
    dbms_output.put_line('Previous SQL statement:');
    for c1 in ( select * from sys.v_$sqltext
                where HASH_VALUE = s.prev_hash_value order by piece) loop
      dbms_output.put_line(chr(9)||c1.sql_text);
    end loop;
    dbms_output.put_line('Session Waits:');
    for c1 in ( select * from sys.v_$session_wait where sid = s.sid) loop
      dbms_output.put_line(chr(9)||c1.state||': '||c1.event);
    end loop;
  --  dbms_output.put_line('Connect Info:');
  --  for c1 in ( select * from sys.v_$session_connect_info where sid = s.sid) loop
  --    dbms_output.put_line(chr(9)||': '||c1.network_service_banner);
  --  end loop;
    dbms_output.put_line('Locks:');
    for c1 in ( select /*+ ordered */
            decode(l.type,
            -- Long locks
                        'TM', 'DML/DATA ENQ',   'TX', 'TRANSAC ENQ',
                        'UL', 'PLS USR LOCK',
            -- Short locks
                        'BL', 'BUF HASH TBL',  'CF', 'CONTROL FILE',
                        'CI', 'CROSS INST F',  'DF', 'DATA FILE   ',
                        'CU', 'CURSOR BIND ',
                        'DL', 'DIRECT LOAD ',  'DM', 'MOUNT/STRTUP',
                        'DR', 'RECO LOCK   ',  'DX', 'DISTRIB TRAN',
                        'FS', 'FILE SET    ',  'IN', 'INSTANCE NUM',
                        'FI', 'SGA OPN FILE',
                        'IR', 'INSTCE RECVR',  'IS', 'GET STATE   ',
                        'IV', 'LIBCACHE INV',  'KK', 'LOG SW KICK ',
                        'LS', 'LOG SWITCH  ',
                        'MM', 'MOUNT DEF   ',  'MR', 'MEDIA RECVRY',
                        'PF', 'PWFILE ENQ  ',  'PR', 'PROCESS STRT',
                        'RT', 'REDO THREAD ',  'SC', 'SCN ENQ     ',
                        'RW', 'ROW WAIT    ',
                        'SM', 'SMON LOCK   ',  'SN', 'SEQNO INSTCE',
                        'SQ', 'SEQNO ENQ   ',  'ST', 'SPACE TRANSC',
                        'SV', 'SEQNO VALUE ',  'TA', 'GENERIC ENQ ',
                        'TD', 'DLL ENQ     ',  'TE', 'EXTEND SEG  ',
                        'TS', 'TEMP SEGMENT',  'TT', 'TEMP TABLE  ',
                        'UN', 'USER NAME   ',  'WL', 'WRITE REDO  ',
                        'TYPE='||l.type) type,
         decode(l.lmode, 0, 'NONE', 1, 'NULL', 2, 'RS', 3, 'RX',
                         4, 'S',    5, 'RSX',  6, 'X',
                         to_char(l.lmode) ) lmode,
         decode(l.request, 0, 'NONE', 1, 'NULL', 2, 'RS', 3, 'RX',
                           4, 'S', 5, 'RSX', 6, 'X',
                           to_char(l.request) ) lrequest,
         decode(l.type, 'MR', o.name,
                        'TD', o.name,
                        'TM', o.name,
                        'RW', 'FILE#='||substr(l.id1,1,3)||
                              ' BLOCK#='||substr(l.id1,4,5)||' ROW='||l.id2,
                        'TX', 'RS+SLOT#'||l.id1||' WRP#'||l.id2,
                        'WL', 'REDO LOG FILE#='||l.id1,
                        'RT', 'THREAD='||l.id1,
                        'TS', decode(l.id2, 0, 'ENQUEUE', 'NEW BLOCK ALLOCATION'),
                        'ID1='||l.id1||' ID2='||l.id2) objname
         from  sys.v_$lock l, sys.obj$ o
         where sid   = s.sid
           and l.id1 = o.obj#(+) ) loop
      dbms_output.put_line(chr(9)||c1.type||' H: '||c1.lmode||' R: '||c1.lrequest||' - '||c1.objname);
    end loop;
    dbms_output.put_line('=====================================================================');
  END;
  undef 1
  set feedback on;
  set veri on;

• How to know user session time

  Hi,
  I want to know how to know or calculate the user session time till now from the time when user got connected
  in simple current_time-begin_time.
  thanks in advance

  Try using the logon_time of v$session
  test@>desc v$session;
  Name                                                  Null?    Type
    LOGON_TIME DATE All columns of the view have not been displayed.
  Adith

• How to retrieve User Session in Xcelsius 2008

  Hi
  I am currently building dashboards with some securities on display. The dashboards have to show different views (e.g. Manager view with full access of data and Employee view with partial access of data) for different users, and I expect to get the user information (particularly user name) from the BO user session for making the security decision.
  I can successfully retrieve the user session from Dashboard [url button] to JSP using openDocument (by looking at the cookies), but it seems that I have no way to import the data back to the Dashboard. When I am using Data Manager > XML Data (With XML datasource is a JSP file), it seems the user session cannot be retrieved.
  So, my question is, how to retrieve the user Name in Xcelsius 2008 ?
  Any help is greatly appreciated.

  Hi,
  we did also some research activities about Xcelsius. We are passing the user name to the Xcelsius via Webservice. Based on the portal integration, you do not have to care about the authentication to the Webservice. This does the Enterprise Portal for you. For the integration, we are currently using a BSP solution. In this way, you can get the user name very simple:
  sy-uname
  You can put into the Webservice or provide it as Flash Variable to the Xcelsius in the <OBJECT> tag.
  Take care,
  Thomas

• [Cisco ACS] Memory Utilization limit

  Hello,
  We have 2 CSACS 1121 with Cisco ACS 5.2.0.26.10
  The primary server manages 20000+ authentications per day.
  Its memory utilization increases everyday.
  It is now at 83%
  Is there a limit?
  What will happen when memory utilization reach this limit?
  What can we do to purge memory utilization? (reboot, service restart...)
  Thanks for your help
  Patrick

  admin# sh memory
  total memory:    1031200 kB
  free memory:       16288 kB
  cached:           298568 kB
  swap-cached:           0 kB
  Do you know the minimum free memory amount for safe operations? 
  ·         is this  ACS  running any risks being this abpve?
  ·         Are there any general clean-up commands that  can be executed to free up memory without jeopardizing operations on the ACS?

• How to manage User Session in Adf ?

  Is there any guide line to manage the user session in adf ?

  View layer Http session if it is not a desktop based application. Model layer also you can store session using
  getSession().getUserData()But before that the information you provided is not enough. You need to describe in more detail of what session and what exactly are you looking for

• How to end user session correctly as sys or system user

  Hi,
  Database version Oracle 10.2.0.3
  We have to end user sessions to update database content. We cant stop/shutdown the instance but we have to assure that some users are not logged on.
  So we are looking for a solution to end some arbitrary user sessions as sys or system user without using the KILL USER SESSION option. We want to assure that the user sessions end correctly.
  Is there a possibility or a command in Oracle 10g to end a user session correctly ?
  Thanks for your assistance.

  http://download.oracle.com/docs/cd/B19306_01/server.102/b14200/statements_2013.htm#i2053602
  I think DISCONNECT SESSION Clause is what you are looking for.
  Let us know if this is not the case.

• Cisco ACS 4.2 one user in multiple local groups

  Currently i have group mapping like this
  ACS Groups           Window Groups
      Grp-A-B             Grp-1 and Grp-2
      Grp-A                        Grp-1
      Grp-B                        Grp-2
  For example currently one user test1 is part of both groups 1 and 2 in windows and is mapped to Grp-A-B in ACS. Is it possible if i delete the Grp-A-B mapping in ACS and can see the user test1 speratley in both groups ( Grp-A and Grp-B) in ACS?            

  Salam Muhammad,
  If you have a local user in ACS, that user can not be a member of two groups at the same time.
  The same concept applies to the external users. They can not be mapped to two different groups at the same time.
  If you remove the Grp-A-B configuration, the user test1 will be mapped to the first group in the list because ACS 4.2 process the goup mapping in order:
  '''snip'''
  Group Mapping Order
  ACS always maps users to a single ACS group; yet a user can belong to more than one group set mapping. For example, a user named John could be a member of the group combination Engineering and California, and at the same time be a member of the group combination Engineering and Managers. If ACS group set mappings exist for both these combinations, ACS has to determine to which group John should be assigned.
  ACS prevents conflicting group set mappings by assigning a mapping order to the group set mappings. When a user who is authenticated by an external user database is assigned to an ACS group, ACS starts at the top of the list of group mappings for that database. ACS sequentially checks the user group memberships in the external user database against each group mapping in the list. When finding the first group set mapping that matches the external user database group memberships of the user, ACS assigns the user to the ACS group of that group mapping and terminates the mapping process.
  '''snip'''
  Reference:http://goo.gl/cvc474
  HTH
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• How to get user session details ?

  Hello.
  I can get user session details querying the "USER_AUDIT_SESSION" view against my developing database.
  I have written a PL/SQL function to retrieve those session details. When I executed the function on the production database I have not got any records. It seems that the underlined view is not being refreshed in the production environment.
  Is there any other view or table, available to unprivileged users, I can use to get session details such as the connection timestamp and the user action ?

  Thanks for the reply.
  Ok, I might check it using a non DBA user, I am not sure, though.
  All the database queries have to be executed under a normal user connection.
  I would like a way to get session details not using "user_audit_session".
  Is there any table or view, available to a default profile user, which has session details and has records as a default behaviour?
  As far as I could check disable audit_trail seems to be the normal behaviour of the clients of my application. There is no records in "user_audit_session".

• Cisco ISE - How to map User- Location - Restrict Access to other locations

  Hi,
  i've got a simple question and I hope someone here can help me out with this mess.
  The problem is about WLAN 802.1x Auth with Cisco WLC and a ISE.
  The design goal is the following:
  There are several branch facilities. A user belongs to only ONE facility. This user should not access the WLAN in other facilities.
  The technical design is this:
  Local WLC and/or central vWLC. In the datacenter is one ISE which must handle the auth-requests. The identity source of the users, where I add and manage them, should be the ISE itself for the first time, later I want to AD and LDAP sources.
  Here is the problem:
  I don't understand how I can create a ruleset or something else where I can define that a user of facility A can only login over APs, WLCs,.....in facility A and NOT facility B. Or maybe my design is so bad that I have to start from scratch.
  PLEASE HELP.

  I don't know but may be this is the correct way to validate the user:
  NAS-ID in AP-Groups (One AP-Group per facility) must match "12345" AND Identity-Group must match "12345".
  Iam confused because there is no way to compare these values. 
  In this case to compare the value of "NAS-ID" and die users "IDENTITY-GROUP".
  If they match against each other than "Permit-Access".