Simultaneous Logins in VPN Concentrator

Similar Messages

• ACS with VPN Concentrator : IP address attribution

  Hello,
  I need to know if it is possible for ACS to attribute an IP address to the VPN Clients connected to a VPN Concentrator, with XAUTH, instead of the VPN Concentrator,and if yes : how can I do, what is the procedure ? With the attribute Framed IP Address ? Does it work ?
  Thanks !
  Patrice

  yes it can be done at works very well under the radius attributes uses the:
  [014] Login-IP-Host
  NAS Specifies
  User Specifies
  Other
  Check other and then add the ip address that you want to assigned

• Simultaneous login problem

  Hi 
  I am having simultaneous login problems. In the past I have been able to sign into my skype account on both my Mac Book Pro and my Windows 7 desktop PC. However since I had to change my password I can only login into one machine at a time now. Also when I change my password on the desktop PC I can only sign into that skype / computer. Whenever I type the same account name and same exact password on my Mac Book Pro, it says it doesn't recognize my sign-in details but I am 100% sure that I typed it in exactly the same way as I did on my desktop. Another is that when I reset my password on my Mac Book those details won't work on the Desktop PC and vice-versa.
  I would like to know what is the problem in this situation, I am not sure if this is an application error or a networking error where the account details are not signing in from a different IP or MAC address.
  Please and thank you!

  "The load balancing was already functional:"
  Do you have a description how to do that?
  I Would like to know how.
  "so ALL traffic, not going to the LAN network and so over this interface, went out on the DMZ interface, with source IP from LAN."
  If you put the VPN servers behind 1-1 NAT instead they will use the firewall as GW and the VPN clients will get at your remote sites/LAN IF you add routing definitions in VPN config what networks are reachable through VPN.
  Or you keep servers as they are but also add add more routing definitions in VPN AND static routes to each server with the firewall as gw to those remote networks. Default gw will still be through the DMZ IPs though.
  The problem with more than one VPN client from behind same IP address is, with your current server settings, most likely because of the client side NAT router isn't coping with the task. Your public IP VPN server(s) should mean NAT VPN problem is at the other end (customer/client network router/firewall).
  If two VPN clients behind same NAT router connected to different servers at your end, "12.34.56.80" and "12.34.56.81" (both are public IPs?) respectively I believe at least two should be able to connect.
  3G/4G modems isn't an option?
  Maybe try bringing your own tested working portable router (ethernet/wifi maybe includes a VPN client that connect to your servers) to the customer and put it temporarily on their LAN? There are these small new 3G/WiFi routers too. Depends on wether you need to be connected to customer LAN or not.
  Try other VPN solution, SSL or OpenVPN?
  Use both PPTP and L2TP simultaneously (PPTP could be troubelsome if GRE/TCP 1723 passthrough is disabled)?

• LDAP ON VPN CONCENTRATOR

  I have a vpn 3015, I want my vpn users to be authenticated and authorized to the vpn 3015 throught my Active directory (LDAP).
  For Authentication server, I use Kerberos/Active Ritectory Server and it works when I test it.
  but for the Authorization Server, I use LDAP server (the same server as the authentication server), with all the parameters like Login DN, Base DN, naming attributes, but when i test it it doesnt work?????why??
  Thanks

  The VPN Concentrator supports user authorization on an external LDAP or RADIUS server. Before you configure the VPN Concentrator to use an external server, you must configure the server with the correct VPN Concentrator authorization attributes and, from a subset of these attributes, assign specific permissions to individual users. Follow the instructions given here to configure your external server.
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a008015ce27.html

• Multiple logins to VPN 3005 required

  Hi Everyone,
  We have been using our Cisco 3005 VPN Concentrator now for a few years with no trouble. When connecting to it through the WEBVpn you normally only have to log in once... now it requires two logins, both of which are identical.
  Is there a good document that explains the logins, or a method to trace which page you are accessing through the WebVPN product to know why it is requesting the secondary login?
  Thanks,
  Ken

  Is this happening for all users?
  What version are you running?
  Regards
  Farrukh

• AAA VPN Concentrator 3005

  Hi, I have run into a problem with my VPN concentrator. I was setting up AAA on it this morning and after configuring it ,I cannot get back into the web interface. It is version 2.21 running on the concentrator. I cannot get a console session, nothing appears when I use the settings 9600, 8, 0, 1, Hardware. I can see the authentication is working on the ACS Logs but I am getting invalid login on the VPN Concentrator. Is there anything I can do at this point?

  Was using the wrong type cable to console into the Concentrator. Done a password reset from the console and that allowed me back in.
  Cheers
  Brian

• VPN concentrator and webVPN

  Hi,
  Trying to setup VPNc 3005 for WebVPN.
  The VPNc is configured with NTP server so
  the clock is fine. I installed SSL vpn
  client and SecureDesktop software onto the VPNc. Create a local account and
  group. When I perform https://vpnc/admin.html, I can manage the
  VPNc from the external interface so the
  certificate is good.
  When I do http://vpnc from the same XP Service Pack 2 workstation, it attemped
  to install both ssl vpn client and secure desktop onto my winXP, I have admin privilege on the XP machine, then
  it tells me that the vpn concentrator
  has a server certificate error. I've
  attached the screen shot. Anyone know
  what it is? Thanks.

  If you connect to a website that loads content (such as images) from a second, previously unauthenticated server, the content might not be rendered correctly. WebVPN clientless mode does not support websites that require authentication for access to content from secondary servers. When using WebVPN with NAT-T, do not set the NAT-T port to 443. We recommend using port 80 for NAT-T, as firewalls should allow this.
  http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_41/configuration/guide/webvpnap.html
  http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_41/quick/start/gs3mgr.html#wp1302684

• PIX, ASA or VPN concentrator & dynamic VPN

  Hi all,
  I need help what to use and how to do next.
  What we need is to create remote VPN for many users so that every user is member of more than one group and every group is linked to predefined set of rules, for instance you can access this IPs, ports and so on.
  How to do that dynamically? Is it possible to do that with one certificate?
  Other question is what to use? ..PIX, ASA, VPN concentrator ?
  BR
  jl

  The PIX and VPNC are both end of sale products now and unless you already have them your only choice is IOS or ASA. Of those two the ASA is the Cisco preffered platform for Remote Access VPNs.
  You can map users to groups using Active Directory OUs, let them select a group at logon, have different logon URLs per group etc. However as far as I know this is not possible:
  "every user is member of more than one group "
  Some links:
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808bd83d.shtml
  With remote access IPSEC VPNs you can either define the groups on the ASA or externally on the ACS Server.
  Pls. rate if helpful.
  Regards
  Farrukh

• VPN Concentrator authentication with multiple domains

  I have a hub and spoke network where a T1 comes in to the hub site A and there is a frame relay connection going over to the spoke site B. We want to add a VPN concentrator to site A for remote access but site A and site B have their own domains that are independant of one another. Can I set up the VPN Concentrator to authenticate users that belong to site A domain using site A's domain controller and authenticate users the belong to site B domain using site B's domain controller? That way we can use a single VPN concentrator and a single internet connection but keep the authentication seperate.
  Thanks in advance for any help.

  To authenticate users that belong to site A domain using site A's domain controller you should authenticate users the belong to site A domain using site A's domain controller

• IP Address Assignment on VPN Concentrator through AD

  Is it possible to assign an IP address on a per-user basis using Active Directory as your authentication method for a group within the 3000 series VPN Concentrator?
  I know this can be done with ACS/RADIUS, but I do not see any documentation on how this can be accomplished using Active Directory as your external authentication server.

  Sorry for the thread title it should be : "reserver" not reverse.
  I have been advised to read the "admin guide"
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a008026f96c.shtml
  under the heading below
  Assign a Specific IP Address to a User
  In order to assign a static IP address for the remote VPN user every time they connect to the VPN 3000 Series Concentrator, choose: Configuration > User Management > Users > Modify ipsecuser2 > identity.
  My question i am using production box (to avoid screw up whole system), does it affect if i want to create a specific group and assign specific ip address to a user
  On my PIX (VPN running paralled to the PIX, i.e it is not behind nor inforn of the PIX) what I have got these lines of configurations which are related to the VPN concentrator
  nat (inside) 1 10.2.2.0 255.255.255.0 0 0,,,,,,,,ip for VPN pool as seen in figure
  nat (inside) 1 172.168.1.0 255.255.255.0 0 0,,,,,,,,,not related to VPN
  nat (inside) 1 192.168.0.0 255.255.0.0 0 0,,,,,,,,,not related to VPN
  global (outside) 1 10.1.1.150-10.1.1.155
  global (outside) 1 10.1.1.156
  route inside 10.2.2.0 255.255.255.0 192.168.55.254 1,,,,,,,,,,,,,192.168.55.254, is the VPN Ethernet 1 ip address.
  http://img204.imageshack.us/img204/7306/vpnpooleu1.jpg
  What I am thinking to do, are below (please any comment) :
  1- I want to modify the current group (see my VPN figure ) to be from range 10.2.2.1-10.2.2.9 instead of 10.2.2.1-10.2.2.10
  2- Create another group called : " mobile_users "
  3- Create a user called : " commuter "
  4- Assign the user " commuter " to the group " mobile_user "
  5- Assign ip address 10..2.2.2 to the user " commuter "
  6- In the cisco site that I have posted , it syas: tick option for " User address from Authentication Server ",,,,I do not think this will apply to me ?
  again since I am using production box, I have to assure that the modification above does not screw up the whole system

• Cisco works LMS 3.0.1 cannot archieve configuration for cisco 3000 series vpn concentrator

  Hi All,
  Our problem is, we have Cisco Works LMS 3.0.1. cannot archieve configuration for cisco 3000 series vpn concentrator.
  Any help would be greatly appreciated.
  Thanks in advance.
  Samir

  Make sure you have filled out all of the HTTP/HTTPS credential data in DCR for these devices.  RME will only use HTTPS to fetch VPN concentrator configurations.

• Limit # of simultaneous logins?

  Is it possible (or even practical) to try to do this?
  My client wants *light* security on a series of pages, and
  would like to
  have two categories of passwords -
  1. A single user, i.e., no simultaneous logins.
  2. A group user, i.e., multiple simultaneous logins, up to
  but not beyond,
  some ceiling.
  With PHP/MySQL is this feasible?
  Murray --- ICQ 71997575
  Adobe Community Expert
  (If you *MUST* email me, don't LAUGH when you do so!)
  ==================
  http://www.dreamweavermx-templates.com
  - Template Triage!
  http://www.projectseven.com/go
  - DW FAQs, Tutorials & Resources
  http://www.dwfaq.com - DW FAQs,
  Tutorials & Resources
  http://www.macromedia.com/support/search/
  - Macromedia (MM) Technotes
  ==================

  I can't speak for the PHP universe, but principles tend to
  translate so I'll
  take a shot anyway.
  In ASP, you've got session_onstart and session_onend in your
  global.asa
  file. Obviously, if the user does not log out and just closes
  the browser,
  the session will remain active until it times out, but
  session_onend will
  run regardless of how the session is ended. The
  session_onstart and
  session_onend can be used to edit application variables
  (which are truly
  global and only fall out of scope when IIS is restarted). The
  application
  variable might, for instance, be named after the user ID and
  contain the
  number of current active sessions. Session_onstart is set to
  create or
  increment; session_onend is used to decrement.
  In the case of a user closing the browser, you'd have a login
  unavailable
  until the session timeout is reached. Typically, explaining
  this to users
  is good enough and everyone understands that if they make a
  mistake (or have
  the computer crash or something), they may need to wait 20
  minutes before
  they're allowed to log in again (assuming you're using the
  default 20 minute
  timeout). As long as it's known up front and not a nasty
  surprise, people
  are generally understanding.
  I don't think PHP has application variables, but you could do
  the same with
  a text file or a database table (with the bonus that a
  database table can be
  used to store session ID, login, logout, etc and give you all
  kids of
  history info). The crux of the matter is finding out if a PHP
  application
  has the equivalent of a global.asa and/or session_onstart and
  session_onend
  event handlers that are handled by the web server and not any
  particular web
  page. Sorry I can't be of more help there.
  "Murray *ACE*" <[email protected]> wrote
  in message
  news:[email protected]...
  > That was exactly what I told her.
  >
  > So - how would you approach this problem, then? One
  solution is to
  > monitor simultaneous logins, and that clearly is
  impractical.
  >
  > How would you enable 'group' access if not this way?
  >
  > --
  > Murray --- ICQ 71997575
  > Adobe Community Expert
  > (If you *MUST* email me, don't LAUGH when you do so!)
  > ==================
  >
  http://www.dreamweavermx-templates.com
  - Template Triage!
  >
  http://www.projectseven.com/go
  - DW FAQs, Tutorials & Resources
  >
  http://www.dwfaq.com - DW FAQs,
  Tutorials & Resources
  >
  http://www.macromedia.com/support/search/
  - Macromedia (MM) Technotes
  > ==================
  >
  >
  > "Gary White" <[email protected]> wrote in
  message
  > news:[email protected]...
  >> On Thu, 6 Sep 2007 10:38:10 -0400, "Murray *ACE*"
  >> <[email protected]> wrote:
  >>
  >>>With PHP/MySQL is this feasible?
  >>
  >>
  >> Not really. Because some users may simply close the
  browser instead of
  >> logging out, you have no reliable method to
  determine who or how many
  >> may still be logged in.
  >>
  >> Gary
  >
  >

• Block simultaneous logins by the same user on wired 802.1x

  Is it possible to block simultaneous logins by the same user, meaning is userX login on port gi1/0/1 and after that the same user (UserX) is trying to login on a different port, it will be blocked.

  Sorry I did not read your original question correctly. So at the moment, you can only restrict the number of concurrent connections for users that are only going through the web authentication process. If you are using EAP-TLS, PEAP, etc, then there is no method to restrict those users from performing multiple authentications on the network.
  Thank you for rating helpful posts!

• Not allow simultaneous login on managed computers using profile mangaer

  Does any one knows how to not allow simultaneous login on managed computers using Profile Manager instead of Workgroup Manager?
  Thanks in advanced

  Hi Folks
  First - thanks for your help.
  Closing this out - here is what I learned:
  1) Needed to ensure my server was Kerberised and that Kerebos was running correctly
  2) Local users have precedence over network so I need to ensure I don't use the same short name. While using the "id" command you may be able to see the network user ID, the local of the same name appears to take precedence.
  3) Using the "kinit" command useful for confirming Kerebos is working correctly
  4) Home directories created - had already done this but what finally got this working was stopping and restarting AFP Service.
  So was able to successfully login to Mac Client using OD username and password - it mounted the network home share just fine on the client, loaded preferences etc.
  Now on to create network users with Mobile Accounts for my laptop users - wish me luck

• Multiple simultaneous logins no longer being prohibited when unchecked

  Since (I think) the most recent raft of software updates were installed, multiple simultaneous logins are no longer being prohibited when the box is unchecked in a user's logon account.
  My users are now logging onto different computers and 'lending' their account to people who are not students.
  Is anyone else experiencing this anomaly since 10.5.7 or thereabouts?

  Figured it out, I just had to restart the server for the changes to take effect.