[c-nsp] ASA v8 , VPN, and time-range access-lists

[John Kougoulos]

Hello,

The standard approach is to send at authentication via a eg. radius 
attribute a session timeout calculated to the end of the work-day. ACLs 
may not work because the sessions are already established. You could 
experiment with stateless ACLs on a router somewhere "above" your ASA, but 
I would go with the Radius approach.

Regards,
John

On Tue, 28 Jul 2009, William wrote:

> Hi chaps,
>
> I want to have my VPN Client users bound to time ranges so they can
> only connect during a certain period of time on week days.Typically my
> remote guys will connect at the start of the day and stay connected
> till the very end of it or not disconnect at all.
>
> I've been experimenting with access-hours settings on the group policy
> and time-range access lists, from what I have worked out if a user is
> connected before the access-hours kicks in (i.e. when they aren't
> allowed to connect) they will remain connected until they disconnect
> by hand or if I boot them off manually.
>
> I decided to try out the time range access-lists on the outside
> interface to block their connection attempts once they have logged in
> via VPN and start up their application, this seems to work for when
> I've connected out of the allowed time but if I am connected before
> the time-range kicks in my connection stays active (I was running a
> simple ping -t host). Although I did notice after a certain period of
> time (around 30 minutes) my ping's stopped replying and the
> access-list worked.
>
> Am I doing something wrong hence why the time range access-lists
> aren't working properly? The time on the FW is always correct and
> sync'd to NTP and I'd appreciate any help!
>
> Cheers,
>
> W
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>