topic Re: ISE 2.2 Max Sessions with distributed PSNs in Network Access Control

ISE 2.2 Max Sessions with distributed PSNs

Greg Gibbs — Thu, 12 Apr 2018 06:43:18 GMT

Hi TME team,

I just need to confirm if there are any caveats related to multiple PSNs and a load balancer with the new ISE 2.2 feature for Max Sessions.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/204463-Configure-Maximum-Concurrent-User-Sessio.html

Does this feature still work correctly if multiple user/endpoint sessions happen to be sent to different PSNs by the load balancer?

Re: ISE 2.2 Max Sessions with distributed PSNs

hslai — Thu, 12 Apr 2018 07:07:29 GMT

This feature is currently per PSN but not globally. Global limits are in road map.

Re: ISE 2.2 Max Sessions with distributed PSNs

Greg Gibbs — Thu, 12 Apr 2018 07:16:05 GMT

Thanks Hsing for the quick response.

Maybe we can add a sticky rule in the F5 to send all sessions with the same RADIUS username to the same PSN.

Do you think that might be a valid workaround for the current limitation?

Re: ISE 2.2 Max Sessions with distributed PSNs

hslai — Thu, 12 Apr 2018 07:35:02 GMT

Yes, I believe your workaround should help.

Re: ISE 2.2 Max Sessions with distributed PSNs

Greg Gibbs — Sat, 14 Apr 2018 00:38:08 GMT

chyps, I wanted to run this by you since you have prior experience from writing the how-to guide with F5.

I was thinking about trying the following persistence logic in the F5 to work around this Max Session limitation in ISE.

if framed-protocol, then use username as persistence identifier

if not framed-protocol, then use calling-station-id with fallback to nas-ip-address as persistence identifier

Do you think this is feasible to do with an iRule?

If so, do you foresee any issues with this persistence config for any ISE flows?

The customer is deploying wired/wireless dot1x and wireless Guest, but no BYOD or Posture flows.

Re: ISE 2.2 Max Sessions with distributed PSNs

Craig Hyps — Tue, 17 Apr 2018 04:26:13 GMT

Since LB is not terminating the RADIUS session, I question if username will be available or consistent for Framed (802.1X) flows. For PEAP, the inner identity is not exposed and what is exposed is outer identity. For EAP-TLS, the username is often an logical extract from cert field.

Re: ISE 2.2 Max Sessions with distributed PSNs

Greg Gibbs — Tue, 17 Apr 2018 21:20:48 GMT

Thanks Craig. You make a good point.

It sounds like we might have to just change the persistence identifier to use the NAS-IP. It won't provide as much balancing as using the Calling-Station-ID, but it might be the best way to workaround this Max Sessions limitation for the Wireless endpoints.

Is that a fair statement, or can you think of anything else we can use as a persistence ID on the F5 to accomplish this?

Re: ISE 2.2 Max Sessions with distributed PSNs

Craig Hyps — Wed, 18 Apr 2018 11:08:30 GMT

Assuming same device used, then same user should be persisted to same PSN via Calling Station ID. As noted, there is a roadmap item. Plan is to extend feature to node group/PSN cluster but details and timing need to be communicated privately by ISE PM team.

Re: ISE 2.2 Max Sessions with distributed PSNs

Greg Gibbs — Wed, 18 Apr 2018 21:11:37 GMT

Thanks Craig. We're trying to ensure that sessions using different endpoints with the same username are stuck to the same PSN to be limited by the Max Sessions settings (particularly on Wireless), so it sounds like we'll have to use the NAS-IP for persistence ID.

I'll contact the ISE PMs for info on roadmap.