topic Re: ISE Session Limit on a per SSID level in Network Access Control

ISE Session Limit on a per SSID level

Arne Bier — Tue, 01 Sep 2020 06:53:03 GMT

Hello

I have never used the ISE Max Session feature but I have a customer request to limit the number of times that a user can perform an EAP-PEAP authentication using the same identity (stored in ISE or in AD). I am sure this is easily done if I were to set the Limit to 1 (I know ISE maintains this session counter per-PSN .. but we are not using a load balancer, so this is less of a concern to me):

But that is a system-wide command which could impact other authentications where multiple concurrent logins for a user are allowed (e.g. a BYOD SSID using EAP-PEAP ... as an example).

Is there another way I could restrict the number of PEAP logins for a user for a particular SSID only, by using this condition in an Authorization Policy? It seems to be possible, but if SessionLimitExceeded is TRUE, then can I still override the System default of 1?

Re: ISE Session Limit on a per SSID level

emmanuel-md1 — Fri, 19 Aug 2022 16:30:36 GMT

Hi Arne,

I was wondering if you found a way to do this? I having the same challenge now.

Thanks,

Emmanuel.

Re: ISE Session Limit on a per SSID level

thomas — Sat, 20 Aug 2022 16:13:34 GMT

@Arne and @emmanuel-md1 ,

The Max Sessions features is limited to only ISE Internal Users and Identity Groups unfortunately. There is no other setting or policy option to limit this that I am aware of.

I would think the Catalyst WLC would offer such a limit for active users per SSID, AP, etc. but not by authentication protocol or other correlations.

As you can see there are a lot of potential correlations (per SSID, per protocol type, per SSID by protocol, etc.) so the best option would probably be to do a custom pxGrid integration with a server process that counts whatever combination you are looking for and perform a CoA on the exceeding sessions.

Re: ISE Session Limit on a per SSID level

Arne Bier — Sun, 21 Aug 2022 20:22:14 GMT

I also don't see an immediately obvious/easy way to do this in ISE. It would require some external system to keep track of this kind of session data and then send a CoA to the NAS (or have ISE trigger the CoA). A relatively easy way could be to send SYSLOG data to an external receiver that filters out all RADIUS Accounting records, looking for the Called-Station-ID (which typically contains the SSID) - and if found, keep a table of the connecting EAP clients (User-Name) - if found, then increment a counter if the Calling-Station-ID (MAC Address) is new and if > 1 then use REST API to ISE to send a CoA (if that's even possible). You'd have to keep an Array of sorts, containing the observed User-Name and the number of times you have seen a unique MAC address. And not to forget to decrement the count when you see Accounting Stop. What could possibly go wrong there ... ?? We might have some sympathy with ISE for how hard it is to keep track of its own sessions - the RADIUS data won't always be that reliable.

Enhancement request to the ISE Business Unit?