Mailing List Archive

Sorry, no way to impose a limit on the number of exec logins
for a locally authenticated user. (user-maxlinks is useful
only for PPP links.)

Here's what you get for a local username:

as5200(config)#username fred ?
access-class Restrict access by access-class
autocommand Automatically issue a command after the user logs in
callback-dialstring Callback dialstring
callback-line Associate a specific line with this callback
callback-rotary Associate a rotary group with this callback
dnis Do not require password when obtained via DNIS
nocallback-verify Do not require authentication after callback
noescape Prevent the user from using an escape character
nohangup Do not disconnect after an automatic command
nopassword No password is required for the user to log in
password Specify the password for the user
privilege Set user privilege level
user-maxlinks Limit the user's number of inbound links
<cr>

Privilege, autocommand and access-class are perhaps the
most generally useful ones in this case.

Regards,

Aaron

---

>hello,
>
>my machine :
>IOS (tm) 5200 Software (C5200-IS-L), Version 11.3(11b)T3
>
>my goal : create a local user in order to supersede TACACS (I've already got :
>aaa authentication login default local tacacs+ enable) and give parameters to
>that user. What I'm mostly interrested in is limit the numer of simultaneous
>session to 3 (let's say).
>
>Is this feasible at all, to start with ?
>Is there a guide on how to do this (with other parameters I could set) ?
>
>Thanks !
>
>-------------------------------------------------------------------
>Pierre Nepveu, CCNP tel: +1 514.380-4289
>Architecte - Reseau commute +1 888.INFOVTL x 4289
>Ingenierie / Telephonie fax: +1 514 899-8452
>Videotron Telecom Ltee (VTL) - Montreal (Quebec), Canada
>-------------------------------------------------------------------
>
>
>
>_______________________________________________
>cisco-nas mailing list
>cisco-nas@puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nas
>
>

Le 2005-09-27 à 15:26, Aaron Leonard a écrit:

AL> Sorry, no way to impose a limit on the number of exec logins
AL> for a locally authenticated user. (user-maxlinks is useful
AL> only for PPP links.)

thanks for the reply, Aaron.

"I think" user-maxlink may be the answer ! This is what I want to do : I want
to limit the number of dial-up users to 3 for a special case, using only one
user-id. I tought of creating a special phone number, pointing this number into
a specific box and using some special trick of the local database to limit the
number of sessions to 3.

From memory, user-maxlink is inteded to limit the number of links in a
multi-link PPP. However, would it also do the trink in my scenario (3 different
sessions, all using the same userID) ?

-------------------------------------------------------------------
Pierre Nepveu, CCNP tel: +1 514.380-4289
Architecte - Reseau commute +1 888.INFOVTL x 4289
Ingenierie / Telephonie fax: +1 514 899-8452
Videotron Telecom Ltee (VTL) - Montreal (Quebec), Canada
-------------------------------------------------------------------



AL>
AL> Here's what you get for a local username:
AL>
AL> as5200(config)#username fred ?
AL> access-class Restrict access by access-class
AL> autocommand Automatically issue a command after the user logs in
AL> callback-dialstring Callback dialstring
AL> callback-line Associate a specific line with this callback
AL> callback-rotary Associate a rotary group with this callback
AL> dnis Do not require password when obtained via DNIS
AL> nocallback-verify Do not require authentication after callback
AL> noescape Prevent the user from using an escape character
AL> nohangup Do not disconnect after an automatic command
AL> nopassword No password is required for the user to log in
AL> password Specify the password for the user
AL> privilege Set user privilege level
AL> user-maxlinks Limit the user's number of inbound links
AL> <cr>
AL>
AL> Privilege, autocommand and access-class are perhaps the
AL> most generally useful ones in this case.
AL>
AL> Regards,
AL>
AL> Aaron
AL>
AL> ---
AL>
AL> >hello,
AL> >
AL> >my machine :
AL> >IOS (tm) 5200 Software (C5200-IS-L), Version 11.3(11b)T3
AL> >
AL> >my goal : create a local user in order to supersede TACACS (I've already got :
AL> >aaa authentication login default local tacacs+ enable) and give parameters to
AL> >that user. What I'm mostly interrested in is limit the numer of simultaneous
AL> >session to 3 (let's say).
AL> >
AL> >Is this feasible at all, to start with ?
AL> >Is there a guide on how to do this (with other parameters I could set) ?
AL> >
AL> >Thanks !
AL> >
AL> >-------------------------------------------------------------------
AL> >Pierre Nepveu, CCNP tel: +1 514.380-4289
AL> >Architecte - Reseau commute +1 888.INFOVTL x 4289
AL> >Ingenierie / Telephonie fax: +1 514 899-8452
AL> >Videotron Telecom Ltee (VTL) - Montreal (Quebec), Canada
AL> >-------------------------------------------------------------------
AL> >
AL> >
AL> >
AL> >_______________________________________________
AL> >cisco-nas mailing list
AL> >cisco-nas@puck.nether.net
AL> >https://puck.nether.net/mailman/listinfo/cisco-nas
AL> >
AL> >
AL>

So you want to support (at most) three independendent
PPP sessions, going to different peers that all use the
same username.

In that case, you'll first want to be sure that MLPPP doesn't
try to put them into the same bundle. So either disable
MLPPP or at least configure "multilink bundle-name endpoint".

As far as whether or not user-maxlinks is enforced on
non-MLPPP interfaces ... it appears to me that the restriction
on user-maxlinks is that it (used to) only be supported on
DIALER interfaces (whether MLPPP or not) or on an MLPPP
vprofile. As I understand it, it's now supported on non-dialer async
interfaces via CSCeb52056 (12.3(4)*). It looks like this may
have been generally busted till 12.3(3) (see CSCeb32677).

Regards,

Aaron

---

>Le 2005-09-27 à 15:26, Aaron Leonard a écrit:
>
>AL> Sorry, no way to impose a limit on the number of exec logins
>AL> for a locally authenticated user. (user-maxlinks is useful
>AL> only for PPP links.)
>
>thanks for the reply, Aaron.
>
>"I think" user-maxlink may be the answer ! This is what I want to do : I want
>to limit the number of dial-up users to 3 for a special case, using only one
>user-id. I tought of creating a special phone number, pointing this number into
>a specific box and using some special trick of the local database to limit the
>number of sessions to 3.
>
>>From memory, user-maxlink is inteded to limit the number of links in a
>multi-link PPP. However, would it also do the trink in my scenario (3 different
>sessions, all using the same userID) ?
>
>-------------------------------------------------------------------
>Pierre Nepveu, CCNP tel: +1 514.380-4289
>Architecte - Reseau commute +1 888.INFOVTL x 4289
>Ingenierie / Telephonie fax: +1 514 899-8452
>Videotron Telecom Ltee (VTL) - Montreal (Quebec), Canada
>-------------------------------------------------------------------
>
>
>
>AL>
>AL> Here's what you get for a local username:
>AL>
>AL> as5200(config)#username fred ?
>AL> access-class Restrict access by access-class
>AL> autocommand Automatically issue a command after the user logs in
>AL> callback-dialstring Callback dialstring
>AL> callback-line Associate a specific line with this callback
>AL> callback-rotary Associate a rotary group with this callback
>AL> dnis Do not require password when obtained via DNIS
>AL> nocallback-verify Do not require authentication after callback
>AL> noescape Prevent the user from using an escape character
>AL> nohangup Do not disconnect after an automatic command
>AL> nopassword No password is required for the user to log in
>AL> password Specify the password for the user
>AL> privilege Set user privilege level
>AL> user-maxlinks Limit the user's number of inbound links
>AL> <cr>
>AL>
>AL> Privilege, autocommand and access-class are perhaps the
>AL> most generally useful ones in this case.
>AL>
>AL> Regards,
>AL>
>AL> Aaron
>AL>
>AL> ---
>AL>
>AL> >hello,
>AL> >
>AL> >my machine :
>AL> >IOS (tm) 5200 Software (C5200-IS-L), Version 11.3(11b)T3
>AL> >
>AL> >my goal : create a local user in order to supersede TACACS (I've already got :
>AL> >aaa authentication login default local tacacs+ enable) and give parameters to
>AL> >that user. What I'm mostly interrested in is limit the numer of simultaneous
>AL> >session to 3 (let's say).
>AL> >
>AL> >Is this feasible at all, to start with ?
>AL> >Is there a guide on how to do this (with other parameters I could set) ?
>AL> >
>AL> >Thanks !
>AL> >
>AL> >-------------------------------------------------------------------
>AL> >Pierre Nepveu, CCNP tel: +1 514.380-4289
>AL> >Architecte - Reseau commute +1 888.INFOVTL x 4289
>AL> >Ingenierie / Telephonie fax: +1 514 899-8452
>AL> >Videotron Telecom Ltee (VTL) - Montreal (Quebec), Canada
>AL> >-------------------------------------------------------------------
>AL> >
>AL> >
>AL> >
>AL> >_______________________________________________
>AL> >cisco-nas mailing list
>AL> >cisco-nas@puck.nether.net
>AL> >https://puck.nether.net/mailman/listinfo/cisco-nas
>AL> >
>AL> >
>AL>
>
>