Max Sessions, Usage Quotas, and Password Aging Rules

Previous page
Table of content
Next page

In this section, multiple configuration features are presented. These are essential aspects of a security policy implementation. In particular, max sessions, usage quotas, and password aging rules are covered.

Max Sessions

If you break down the actual function of max sessions, you need to understand that ACS considers a session to be any type of connection that is supported by TACACS+ or RADIUS such as Telnet, PPP, or a NAS prompt. Therefore if you were to specify a max session limit for a group of 10 users to 20 sessions, each user could have only 2 sessions each. Likewise, a single user could establish 20 sessions, and no other users of the group would be allowed a session.

NOTE

The default for max sessions is unlimited for the group.


To restrict a single user from being allowed this many sessions, you could configure the max sessions available to users of this group.

NOTE

To make the max sessions option visible in Group Setup, you might once again need to enable the option in Interface Configuration.


An example of setting max usage options for the FirstUsers group would look something like the following:

  • 10 users of FirstUsers group

  • 20 sessions max limit set at group level

  • 2 sessions available to users of this group

This allows the 20 sessions to be spread evenly across each user of the FirstUsers group. You might also choose to configure the max sessions available to users of this group as well as sessions available to users at the user level. Keep in mind that any configuration at the user level overrides the group-level configuration. Therefore, if you configure two sessions available to users of this group and five sessions available to a specific user, this five-session limit overrides the two-session limit. To track user accounting, you need to enable EXEC accounting on each NAS.

Usage Quotas

The configuration of usage quotas is fairly simple. In this section, you choose to limit each user of this group to a certain number of hours online per day, week, or month. You can also set this as an absolute value. You can also limit each user of this group to a certain number of sessions by day, week, and month or again as an absolute timer. The final option available here is to reset all counters for this group when you select Submit. This is always a good idea when you change these values.

As seen in other configurations, you can configure these settings at the user-configuration level. The difference in the configuration section at the user level is that you can see current usage statistics that you cannot see at the group level. This is seen in Figure 8-9.

Figure 8-9. Current Usage Statistics


Password Aging Rules

Password aging gets its own Jump To link. To get to this section, choose Password Aging in the Jump To menu. As a security administrator, you understand the importance of changing passwords on a regular basis. This area of configuration allows you to force a user to change passwords accordingly.

According to the Cisco documentation, to use this feature, the AAA client must be running the TACACS+ or RADIUS protocol for password aging over dial-in connections. Only password aging over interactive connection (Telnet) is supported with TACACS+. This means that if you are using Telnet or Secure Shell (SSH), you need to use TACACS+. You can choose to apply age-by-date rules and age-by-uses rules and to apply a password change rule, which forces users to change their passwords after an administrator has changed it.

The age-by-date rule has three option boxes as follows:

  • Active period The active period is the number of days that you want to allow a user to log in without being prompted to change passwords. The default active period is 20 days. When a user is first prompted to change passwords, the user grace period and warning period begin.

  • Warning period The warning period is a length of time in which a user is warned that the password is going to expire and is given the number of days left before the password actually expires.

  • Grace period The grace period is a last chance login timer in which a user can login one last time with the original password. The user is warned that the password expires if not changed. If the password is not changed, no further logins are accepted even if the grace period timer has not expired yet.

When you choose to apply age-by-uses rules, you specify an issue warning after value as well as a require change after value. While these seem to be pretty simple, it is important to understand the absolute value here. If you were to configure the issue warning after value at 15 logins, on the 16th login the user would be warned that a password change is required. Now with this same configuration, if the require change after value were set to 20, the warning would continue for attempts 16, 17, 18, and 19. On the 20th login, the user would be advised that the password must be changed, and if the password is not changed, the account expires.

TIP

If you want to allow unlimited logins without requiring a change of passwords, use a -1 in the issue warning after and require change after fields.




Previous page
Table of content
Next page
Cisco Access Control Security(c) AAA Administrative Services
Cisco Access Control Security: AAA Administration Services
ISBN: 1587051249
EAN: 2147483647
Year: 2006
Pages: 173
Authors: Brandon James Carroll
BUY ON AMAZON
Beginning Cryptography with Java
High-Speed Signal Propagation[c] Advanced Black Magic
Snort Cookbook
Developing Tablet PC Applications (Charles River Media Programming)
After Effects and Photoshop: Animation and Production Effects for DV and Film, Second Edition
Quartz Job Scheduling Framework: Building Open Source Enterprise Applications
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy