[cisco-nas] managing users' priviledges with local database

Aaron Leonard Aaron at cisco.com
Wed Sep 28 15:33:28 EDT 2005 

So you want to support (at most) three independendent
PPP sessions, going to different peers that all use the
same username.

In that case, you'll first want to be sure that MLPPP doesn't
try to put them into the same bundle.  So either disable
MLPPP or at least configure "multilink bundle-name endpoint".

As far as whether or not user-maxlinks is enforced on
non-MLPPP interfaces ... it appears to me that the restriction
on user-maxlinks is that it (used to) only be supported on
DIALER interfaces (whether MLPPP or not) or on an MLPPP
vprofile.  As I understand it, it's now supported on non-dialer async
interfaces via CSCeb52056 (12.3(4)*).  It looks like this may
have been generally busted till 12.3(3) (see CSCeb32677).

Regards,

Aaron

---

>Le 2005-09-27 à 15:26, Aaron Leonard a écrit:
>
>AL> Sorry, no way to impose a limit on the number of exec logins
>AL> for a locally authenticated user.  (user-maxlinks is useful
>AL> only for PPP links.)
>
>thanks for the reply, Aaron.
>
>"I think" user-maxlink may be the answer !  This is what I want to do :  I want
>to limit the number of dial-up users to 3 for a special case, using only one
>user-id. I tought of creating a special phone number, pointing this number into
>a specific box and using some special trick of the local database to limit the
>number of sessions to 3.
>
>>From memory, user-maxlink is inteded to limit the number of links in a
>multi-link PPP. However, would it also do the trink in my scenario (3 different
>sessions, all using the same userID) ?
>
>-------------------------------------------------------------------
>Pierre Nepveu, CCNP                    tel: +1 514.380-4289
>Architecte - Reseau commute                 +1 888.INFOVTL x 4289
>Ingenierie / Telephonie                fax: +1 514 899-8452
>Videotron Telecom Ltee (VTL) - Montreal (Quebec), Canada
>-------------------------------------------------------------------
>
>
>
>AL> 
>AL> Here's what you get for a local username:
>AL> 
>AL> as5200(config)#username fred ?
>AL>   access-class         Restrict access by access-class
>AL>   autocommand          Automatically issue a command after the user logs in
>AL>   callback-dialstring  Callback dialstring
>AL>   callback-line        Associate a specific line with this callback
>AL>   callback-rotary      Associate a rotary group with this callback
>AL>   dnis                 Do not require password when obtained via DNIS
>AL>   nocallback-verify    Do not require authentication after callback
>AL>   noescape             Prevent the user from using an escape character
>AL>   nohangup             Do not disconnect after an automatic command
>AL>   nopassword           No password is required for the user to log in
>AL>   password             Specify the password for the user
>AL>   privilege            Set user privilege level
>AL>   user-maxlinks        Limit the user's number of inbound links
>AL>   <cr>
>AL> 
>AL> Privilege, autocommand and access-class are perhaps the
>AL> most generally useful ones in this case.
>AL> 
>AL> Regards,
>AL> 
>AL> Aaron
>AL> 
>AL> ---
>AL> 
>AL> >hello,
>AL> >
>AL> >my machine :
>AL> >IOS (tm) 5200 Software (C5200-IS-L), Version 11.3(11b)T3
>AL> >
>AL> >my goal : create a local user in order to supersede TACACS (I've already got :
>AL> >aaa authentication login default local tacacs+ enable) and give parameters to
>AL> >that user.  What I'm mostly interrested in is limit the numer of simultaneous
>AL> >session to 3 (let's say).
>AL> >
>AL> >Is this feasible at all, to start with ?
>AL> >Is there a guide on how to do this (with other parameters I could set) ?
>AL> >
>AL> >Thanks !
>AL> >
>AL> >-------------------------------------------------------------------
>AL> >Pierre Nepveu, CCNP                    tel: +1 514.380-4289 
>AL> >Architecte - Reseau commute                 +1 888.INFOVTL x 4289
>AL> >Ingenierie / Telephonie                fax: +1 514 899-8452
>AL> >Videotron Telecom Ltee (VTL) - Montreal (Quebec), Canada
>AL> >-------------------------------------------------------------------
>AL> >
>AL> >
>AL> >
>AL> >_______________________________________________
>AL> >cisco-nas mailing list
>AL> >cisco-nas at puck.nether.net
>AL> >https://puck.nether.net/mailman/listinfo/cisco-nas
>AL> >  
>AL> >
>AL> 
>  
>

More information about the cisco-nas mailing list