Chapter1 Overview of Cisco Secure ACS
AAA Server Functions and Concepts
1-16
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Max Sessions
Max Sessions is a useful feature for organizations that need to limit the number
of concurrent sessions available to either a user or a group:
User Max SessionsFor example, an Internet service provider can limit
each account holder to a single session.
Group Max SessionsFor example, an enterprise administrator can allow
the remote access infrastructure to be shared equally among several
departments and limit the maximum number of concurrent sessions for all
users in any one department.
In addition to simple User and Group Max Sessions control, Cisco Secure ACS
enables the administrator to specify a Group Max Sessions value and a
group-based User Max Sessions value; that is, a User Max Sessions value based
on the users group membership. For example, an administrator can allocate a
Group Max Sessions value of 50 to the group Sales and also limit each member
of the Sales group to 5 sessions each. This way no single member of a group
account would be able to use more than 5 sessions at any one time, but the group
could still have up to 50 active sessions.
Dynamic Usage Quotas
Cisco Secure ACS enables you to define usage quotas for users. You can limit the
network access of each user in a group or of individual users. You define quotas
by duration of sessions or the total number of sessions. Quotas can be either
absolute or based on daily, weekly, or monthly periods. To grant access to users
who have exceeded their quotas, you can reset session quota counters as needed.
To support time-based quotas, we recommend enabling accounting update packets
on all AAA clients. If update packets are not enabled, the quota is updated only
when the user logs off and the accounting stop packet is received from the AAA
client. If the AAA client through which the user is accessing your network fails,
the session information is not updated. In the case of multiple sessions, such as
with ISDN, the quota would not be updated until all sessions terminate, which
means that a second channel will be accepted even if the first channel has
exhausted the users quota.