topic Re: Maximum Concurrent User Sessions in Network Access Control

Maximum Concurrent User Sessions

nikhilcherian — Sun, 30 Sep 2018 18:02:59 GMT

I am trying to understand the Maximum Concurrent User Sessions from the below link & in my network

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/204463-Configure-Maximum-Concurrent-User-Sessio.html

As per the link, I understand once the guest user maximum limit is reached, the new device which tries to login should not be allowed to access network( based on newest or oldest connection configured ).

I configured maximum session as 2 & when my 3rd client tries to login, the user is given a warning saying "maximum number of clients is reached, do you wish to continue. " The moment continue is pressed, the 1st logged in MAC address is deleted from the ISE database. However all the 3 clients still continue to access wireless network

Is this expected

Regards

Nikhil

Re: Maximum Concurrent User Sessions

Jason Kunst — Sun, 30 Sep 2018 19:18:00 GMT

How are you authorizing guest endpoints? If you have a rule that permits guest endpoints access then it won’t matter if you’re using max concurrent user sessions. This only applies to devices that consistently login thru the guest portal

Read the remember me section of the guest deployment guide

https://community.cisco.com/t5/security-documents/ise-guest-access-deployment-guide/ta-p/3640475

Re: Maximum Concurrent User Sessions

nikhilcherian — Mon, 01 Oct 2018 03:40:24 GMT

Hi Jason,

Thank you for the quick reply.

Yes I have configured remember me ( MAB) option, so that the users don't have to login again. However, I didn't understand how this is related to my issue. In my guest portal, I have mentioned to delete the Newest Connection & ISE is deleting the oldest mac from ENDpoint group & all 3 devices are still connected to the network

I have also created a rule for Max Session Reached, redirect to the Web-auth page. This is also not working . May be I am missing something, let me know

Regards

Nikhil

Re: Maximum Concurrent User Sessions

Jason Kunst — Mon, 01 Oct 2018 12:15:13 GMT

The 2 aren’t supposed to work together as likely there is no mechanism to kick the user off if the device is not currently in the guest flow (remember me which is straight mab)
Removing from guest endpoint group likely won’t remove the device radius session

Would recommend instead you disable remember me if you want that functionality
Or only allow them to register a few devices

Re: Maximum Concurrent User Sessions

paul — Mon, 01 Oct 2018 13:07:54 GMT

I haven't tested this recently, but if you set your maximum registered endpoints to 2 and a person tries to connect a 3rd one, the very first one should be deleted from the endpoint identity group. You should easily be able to see that by looking at the endpoints on the Context Visibility screen. Now just because an endpoint is deleted from the endpoint identity group doesn't mean they are kicked off wireless. That is two different things. You would have to remove them from the SSID on the WLC and see if ISE allows them to connect back again. They should get sent back to the portal on that first MAC address.

Re: Maximum Concurrent User Sessions

nikhilcherian — Mon, 01 Oct 2018 13:23:27 GMT

Below are things which I tried

I have configured guest portal with max 2 user session allowed
I have configured mab to do remember me
I have set the max user session to 2 & disconnect the newest connection
I have connected 2 users & both users haven't disconnected from the first connection
As per point #4, I expect the users are in the GUESTFLOW, with a RADIUS session & not a MAB flow
My 3rd user comes in ( I hope the 3rd user will be using GUEST user initially) & user is given warning of max device limit reached & the user click on the button to "Continue"
When the 3rd user comes in, 1st MAC is removed when I click on continue. I don't think, this is in agreement with my max user session
ISE also send a CoA to disconnect the 3rd client, which is expected as per the point #3

End result I get all the users in the network, which is not in agreement with the configuration

Re: Maximum Concurrent User Sessions

nikhilcherian — Mon, 01 Oct 2018 13:25:25 GMT

when I have selected the " Disconnect the newest connection " why the ISE is deleting the oldest mac

Re: Maximum Concurrent User Sessions

nikhilcherian — Tue, 02 Oct 2018 11:32:09 GMT

I could see a close match with an enhancement bug

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCva34969/

Re: Maximum Concurrent User Sessions

Jason Kunst — Tue, 02 Oct 2018 11:44:51 GMT

Please work through the tac. Your experience doesn’t sound right

Re: Maximum Concurrent User Sessions

nikhilcherian — Tue, 02 Oct 2018 12:02:58 GMT

The bug was shared with me by the TAC