topic Re: ISE Guest - Configure Maximum Simultaneous Logins for Endpoint Users in Network Access Control

ISE Guest - Configure Maximum Simultaneous Logins for Endpoint Users

ben.posner — Fri, 21 Feb 2020 19:00:42 GMT

Has anyone got the configuration for ISE to limit the maximum simultaneous logins for endpoint users? I'm trying to limit the number of sessions our guest wireless accounts can have and am getting partial success.

example Wireless guest type i'm using has a session limit of 3. in the guest type setup it mentions that you need to check the online help for details on how to build an authZ policy to enforce this. it details setting up an authZ rule that uses the NetworkAccess.SessionLimitExceeded attribute and then setting up a new web redirection. I have done all this and can see in my Live Logs that the 4th login attempt for the guest user IS hitting the new authZ rule for the Session Limit Exceeded attribute and is supposed to be sent the new web redirection. all data from ISE points to this working correctly, except its not. the user gets in, does not get sent to page saying they've hit the limit and then are disconnected 30 seconds later due to the reauthentication timer setup in the authZ result.

so it seems like ISE is doing what its supposed to but my WLC's aren't. they are acknowledging the new reauth timer but NOT the URL redirect for the user.

Re: ISE Guest - Configure Maximum Simultaneous Logins for Endpoint Users

ben.posner — Wed, 11 Jul 2018 16:26:47 GMT

AuthZ Policy

Re: ISE Guest - Configure Maximum Simultaneous Logins for Endpoint Users

ben.posner — Wed, 11 Jul 2018 16:17:12 GMT

Addendum: I figured that my guest wifi config might be part of the problem. We use Anchors to send the guest ssid to a separate WLC behind a firewall for guest internet access. thought this might be complicating things so i re-configured my guest-test ssid to stay local to the WLC the test WAP is attached to.

and after an error getting thrown to me by the browser being unable to access the successful login page redirect and hitting refresh i got sent to the CWA portal and i'm seeing the notification i was expecting! so this seems to be a mobility anchor complication.

Re: ISE Guest - Configure Maximum Simultaneous Logins for Endpoint Users

ben.posner — Fri, 13 Jul 2018 15:20:45 GMT

addendum 2: moved test WAP and test SSID to the other WLC in the anchor setup and the redirect works there as well so it doesn't seem to be an ACL issue. both WLCs work when setup individually but when in Anchor mode they do not... strange. anyone have any ideas?

so this still doesn't work in a production Anchor configuration but will work with ssids running on single WLC setups. so still need help with this since i need it to work with my anchor setup.