Previous Next Table of Contents

22. How can I restrict multiple access / limit the number of concurrent sessions?

There are two approaches to achieve depending on where the limit is enforced.

First, the NAS itself can limit the number of links in a multilink PPP bundle. This is implemented starting in IOS 11.3 by using the following TACACS+ configuration:

 
user = "demouser" { 
        service = multilink { 
                max-link = "1"
        } 
} 

The Radius equivalent should be

 
        cisco-avpair="multilink:max-link=1"

This is equivalent to the vendor-proprietary Ascend-Max-Channels Radius attribute, support in IOS 11.3, and the IETF standard attribute Port-Limit", which is supported beginning in IOS 11.3(3)T.

Alternatively, the AAA daemon can enforce the limit. The advantage of this approach is that it does not only work for multilink PPP sessions terminating on a single NAS, but also for arbitrary dialin PPP sessions distributed over several NASs.

Starting with version 3.0, Cisco's free TACACS+ daemon allows to restrict the number of parallel authorizations sessions using the maxsess keyword. Strictly spoken, this does not prevent parallel logins because it does not affect authentication, but in practice the difference between preventing authentiation or authorization is very small. The users_guide is a bit misleading here.

Some other daemons like CiscoSecure ACS for UNIX and NT also allow this.

D & D consulting have a package they market, called duplogin, which runs as an after auth program. It will check multiple comm servers and the feature can be disabled on a per user basis. The package runs under UNIX (currently works on BSD/OS, Sun, Linux, HP, but can be compiled on any system given access). See http://www.disaster.com/ for further details.

There was also an after authorization perl script written by Kent Ritchie which did something similar. Although it's not bulletproof, It should be a good starting point. It's at http://www.blake.pvt.k12.mn.us/~kritchie/noconcur.pl.txt


Previous Next Table of Contents