cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1107
Views
0
Helpful
4
Replies

Cisco ISE max session

Sp@wn
Beginner
Beginner

Hi,

We are using version 2.2 with latest patch in distributed deployment. We want to use max sessions feature but I am not sure about some tuning. After unchecking the unlimited session and setting a maximum of 3 sessions per user, in addition to if we limit the maximum session to 5 per group or per user within the group, which of these restrictions applies to the local user?

1 Accepted Solution

Accepted Solutions

Greg Gibbs
Cisco Employee
Cisco Employee

The User Max will take precedence. See the following TechNote for examples:

Configure Maximum Concurrent User Sessions on ISE 2.2 

 

Also note that the Max Session cache is not synced across PSNs. Using this feature in a large distributed deployment may have unpredictable effects if the user/group sessions can be spread across multiple PSNs.

 

Cheers,

Greg

View solution in original post

4 Replies 4

Greg Gibbs
Cisco Employee
Cisco Employee

The User Max will take precedence. See the following TechNote for examples:

Configure Maximum Concurrent User Sessions on ISE 2.2 

 

Also note that the Max Session cache is not synced across PSNs. Using this feature in a large distributed deployment may have unpredictable effects if the user/group sessions can be spread across multiple PSNs.

 

Cheers,

Greg

Hi  grgibbs,

 

Thanks for your answer. As a last question do you have any idea about max session effect on external proxy? I guess the setting on the external proxy should be valid in this regard, but does it have an overwhelming advantage here as in the local group?

 

I don't understand the question. Are you talking about a RADIUS Proxy or a network proxy?

As per the document shared, the Max Sessions applies to external identity sources as well, so session using a RADIUS Proxy would likely be affected.

If you're talking about a network proxy, that would be an independent system that ISE would not have any control over.

ofcourse I am talking about radius proxy. I was read the external identity part but I wanted to be sure. yesterday I had an opportunity to test it and saw that users coming via radius proxy are not affected by this feature.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers