topic Re: ISE with F5 and Concurrent Sessions per User in Network Access Control

ISE with F5 and Concurrent Sessions per User

Teymur Aghayev — Mon, 11 Dec 2023 09:28:35 GMT

Hi Team,

I am, currently in the process of designing a network that requires specific limitations on the number of concurrent sessions per user, for example 3 sessions for regular employees and 6 sessions for managers. My understanding is that ISE can manage concurrent sessions per PSN node. However, in our configuration we have PSNs behind F5 load balancers.

So, as I understand, we need to ensure that all RADIUS requests for the same user are directed to the same PSN, additionally, we need to ensure that all RADIUS packets with the same Calling-Station-ID are also routed to the same PSN.

Is my understanding right and if yes how it can be implemented effectively.

Upon reviewing the available documentation and support community topics, I have not been able to find a solution that specifically addresses this requirement.

Thank you

Re: ISE with F5 and Concurrent Sessions per User

ahollifield — Mon, 11 Dec 2023 13:31:06 GMT

Where are the users? Local on ISE? AD? SAML IDP? Somewhere else?

Also what are the use-cases? Wired? Wireless? VPN? What is the auth method? Certificates? username/password? Machine and/or user authentication?

https://community.cisco.com/t5/security-documents/how-to-ask-the-community-for-help/ta-p/3704356

Re: ISE with F5 and Concurrent Sessions per User

Teymur Aghayev — Tue, 12 Dec 2023 11:28:18 GMT

The users are storred localy in ISE.

Access method is Wireless

Auth is 802.1x username/password

Re: ISE with F5 and Concurrent Sessions per User

ahollifield — Tue, 12 Dec 2023 12:41:19 GMT

Administration > System > Settings > Max Sessions

Re: ISE with F5 and Concurrent Sessions per User

Teymur Aghayev — Thu, 14 Dec 2023 12:21:43 GMT

The primary concern in our network setup is ensuring that RADIUS requests from the same user consistently land on the same PSN when routed through F5 load balancers. This is crucial for the proper functioning of the Max Sessions feature in Cisco ISE, which operates on a per-PSN basis. We are looking for a solution that guarantees this consistent routing. Additionally, we need to manage RADIUS packets with the same Calling-Station-ID in a similar manner, ensuring they are also directed to the same PSN.

Re: ISE with F5 and Concurrent Sessions per User

ahollifield — Thu, 14 Dec 2023 12:33:32 GMT

You should be able to do both of these things with F5 persistence in an irule. You can match on the username for example.