topic Issue with max session limit and 3rd party NAD after abnormal session in Network Access Control

Issue with max session limit and 3rd party NAD after abnormal session

patrick.kofler — Thu, 23 Sep 2021 12:13:52 GMT

Hi all,

I encountered a weird issue today.

One of our clusters is running ISE 2.6 Patch 8 and is authenticating wireless clients that are connecting over a 3rd party NAD.

A session limit is imposed on users to only be able to connect with a certain number of devices and the same credentials.

The switch where the 3rd party APs are connected to experienced a power loss also affecting the APs due to PoE. This means there was no normal session termination. After they returned the user tried to connect their devices. The first one goes online, but the second device is running into the session limit, which is actually below the max limit. When I checked the live sessions as well as the active user reports I could only see the first device. AFAIK ISE also purges any old entries every 15 minutes. During testing we were already past that and it still did not allow the authentication to succeed

Some additional information, which I think is relevant:

The first device is authenticating via certificate over an external identity store. The second device authenticates via username and password from ISE's internal database.

Normally external identity stores do not count towards the max session limit. However, as I have recently learned, the max session limit does affect external identity stores as soon as the username matches with a username from the internal DB. This is the case.

So far this is the first time I encountered this issue. I cannot even say if it would also happen with Cisco APs. Also, what is the attribute that gets counted towards the session limit. MAC Address, Audit-Session-ID or something else?

Thanks

Best Regards,

Patrick

Re: Issue with max session limit and 3rd party NAD after abnormal sess

Marcelo Morais — Thu, 23 Sep 2021 14:52:57 GMT

Hi @patrick.kofler ,

please take a look at: Configure Maximum Concurrent User Sessions on ISE 2.2., search for Scenarios (Maximum Sessions per User and Maximum Session for Group).

"... ISE version 2.2 can detect and build enforcement policy based on the concurrent session of:

User Identity - limit number of sessions per specific user
Identity Group - limit number of sessions per specific group
User in a Group - limit number of sessions per user, that belongs to specific group..."

For User Identity:

"... To enable the feature (Maximum Sessions per User), uncheck Unlimited session per user checkbox, which is checked by default. In the Maximum per User Sessions field configure number of sessions specific user can have on each PSN...

Users from External Identity Sources (for example Active Directory) are affected by this configuration as well..."

For Identity Group:

"...This configuration (Maximum Session for Group) enforces 2 sessions as a maximum for Internal Identity Group GroupTest2: You are able to configure the enforcement per Group only for the Internal Groups..."

For User in a Group:

"... Corner Cases

If User Maximum Sessions is configured, both features work independently. In this example, User Max Sessions is set to 1 and Maximum Session for Group is set to 2... If the User is member of more than one Group at the same time and the Max Sessions for Group is configured for them, once connected ISE increases the counter of Max Session for Group cache for every group the user belongs to..."

Also take a look at this: CSCvv14390 Max Sessions Limit is not working for Users and Groups.

Symptom:
"... any basic max session policy gets ignored as it allows more sessions with the same account connected at the same time."
Known Affected Releases:
2.4(0.911), 2.6(0.908), 2.7(0.356), 3.0(0.902)
Known Fixed Releases:
3.0.0.458-Patch3, 2.7.0.356-Patch4, 2.6.0.156-Patch9, 2.4.0.357-Patch14

Hope this helps !!!

Re: Issue with max session limit and 3rd party NAD after abnormal sess

patrick.kofler — Fri, 24 Sep 2021 06:18:11 GMT

Hi @Marcelo Morais ,

thank you for the suggestion. The settings are unlimited for user, but limited at the group level. The user is only member of this one group with the limit.

The bug suggests the opposite of our problem. Instead of ignoring the max session limit the user could not go over one device, although the session limit is higher.

Best Regards,

Patrick

Re: Issue with max session limit and 3rd party NAD after abnormal sess

Marcelo Morais — Fri, 24 Sep 2021 22:16:26 GMT

Hi @patrick.kofler ,

ISE increments the SessionCounter only after it receives Accounting Start for the session:

2017-01-29 08:33:11,619 DEBUG [Thread-90][] cisco.cpm.prrt.impl.PrRTLoggerImpl -:::::- Radius,DEBUG,0x7fe858766700,cntx=0000001503,sesn=pgruszczise22/275051099/9,CPMSessionID=0a3e944f00000e7d588da8a0,CallingStationID=c0-4a-00-14-56-f4,FramedIPAddress=10.62.148.141,RADIUS PACKET:: Code=4(AccountingRequest) Identifier=0 Length=279
[1] User-Name - value: [Bob] 
...
[40] Acct-Status-Type - value: [Start] 
[44] Acct-Session-Id - value: [588da8a0/c0:4a:00:14:56:f4/3789]
...

Max Session logs are located in the prrt-server.log. Set runtime-AAA component to DEBUG level (Administration > System > Logging > Debug Log Configuration > PSN) and check the result:

ise/admin# show logging application prrt-server.log
...
2017-01-29 08:33:11,655 DEBUG [Thread-83][] cisco.cpm.prrt.impl.PrRTLoggerImpl -:::::- SessionCache,DEBUG,0x7fe858867700,cntx=0000001503,sesn=pgruszczise22/275051099/9,CPMSessionID=0a3e944f00000e7d588da8a0,user=Bob,CallingStationID=c0-4a-00-14-56-f4,FramedIPAddress=10.62.148.141,SessionCache::incrementSessionCounters: user=[Bob] current user session count=[1],SessionCache.cpp:862
2017-01-29 08:37:00,535 INFO [Thread-75][] cisco.cpm.prrt.impl.PrRTLoggerImpl -:::::- SessionCache,INFO ,0x7fe858a69700,cntx=0000005011,sesn=pgruszczise22/275051099/15,CPMSessionID=0a3e944f00000e7f588da966,user=Bob,CallingStationID=34-ab-37-60-63-88,SessionCache::checkMaxSessions: user=[Bob] is not authorized because current active user sessions=[2] >= max-user-sessions=[2],SessionCache.cpp:1010

Please use this troubleshooting to check what is happening in your case.

Hope this helps !!!

Re: Issue with max session limit and 3rd party NAD after abnormal sess

hslai — Sat, 25 Sep 2021 00:11:31 GMT

The session counts can be reset per user.

Re: Issue with max session limit and 3rd party NAD after abnormal sess

patrick.kofler — Mon, 27 Sep 2021 06:21:26 GMT

Thanks for all your inputs! I will try those steps the next time it occurs and will post my findings afterwards. Thanks again!

Best Regards,

Patrick