cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Choose one of the topics below for resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.

143
Views
8
Helpful
7
Replies
Highlighted
Cisco Employee

Limiting user login access

I know we can control the number of sessions per user

Is there a way to alert if a user attempts more then one login, while policy permits multiple logins?

This would be ISE 2.3

Maybe Stealthwatch integration

7 REPLIES
Cisco Employee

Re: Limiting user login access

This was introduced in ISE 2.3.  Go to Administration > System > Settings > Max Sessions.

You can choose to enforce Maximum session based upon user, group

MaxSessionsPerUser.PNG

This applies to Internal ISE Users and groups only.  Also the enforcement is the max PER POLICY NODE.  Here's the page in the Admin Guide:

Cisco Identity Services Engine Administrator Guide, Release 2.3 - Manage Users and External Identity Sources [Cisco Ide…

Contributor

Re: Limiting user login access

Ise 2.2 support this future too.

Cisco Employee

Re: Limiting user login access

There is no alarm to alert the same user logging more than once.

Like Charles and Ognyan said, ISE 2.2+ has max sessions to limit per user, which applies to external users as well, and per internal-user-group. These settings are per PSN, unlike the guest max sessions, which are per deployment.

Cisco Employee

Re: Limiting user login access

Hi hslai,

Just to confirm the per user limit also apply for RADIUS authentication? (802.1x to be specified)

Thanks

Wing Churn

Cisco Employee

Re: Limiting user login access

That is correct. This is mainly used for RADIUS authentications.

It's not working well for T+, due to some existing bug, such as CSCvg26552.

Cisco Employee

Re: Limiting user login access

Is this known to work with certificates as the external user database?

Is there anything planned to make this work across multiple PSNs using the MnT or some other solution?

Thanks!
Cisco Employee

Re: Limiting user login access

I have not tested it with certificates myself but am expecting it working with the username/subject based on the cert auth profile(s).

Sure, we are looking into multiple PSN. Please discuss your use cases and customer requirements with our PM.

CreatePlease to create content
Ask the Expert- Webex Hybrid Services Solutions