I was engaged on another request with some similar questions, so wanted to update this thread as well.
The first screenshot shown above is due to the hard-coded browser timeout when you are first redirected to page. This is independent from the RADIUS session timeout. It's purpose is to trigger a fresh redirect after the login page has been left idle. Consider the following scenario...
- You attempt to access Google.com and are redirected to a PSN on a specific port and *session_id* for web login. (The session ID tells ISE which RADIUS session to link for the web request.)
- You walk away or work on another task without completing login and now the RADIUS session has timed out. In the process, MAB auth will occur again and redirect session to a new portal URL which will have a different session ID and possibly a different PSN based on load balancing.
- After returning to page (which appears as it did in step 1), you attempt to login but it fails with an invalid / missing session context.
The issue issue is that the browser is still pointing to the original redirect URL with the old session ID. The intent of this 5-minute browser timeout is to force user to click button which will send a web request to the retry URL (default 1.1.1.1). This will allow redirection to occur again to the updated redirect URL. (Note that since the stale URL pointed to a PSN, it was being allowed without redirection!)
In the original error above (screenshot #2), the endpoint should not have registered yet so would be good to get update on what TAC determined to be issue with Max Devices being triggered. Apparently ISE was tracking the first attempt even though never completed.
Regards, Craig
