Re: ISE 2.2 Max Sessions for AD groups - possible?

Gustavo Novais · ‎09-04-2017

Hello,

I'm looking for a way to implement max sessions for group/user, but usgin AD groups. Since the group mapping features have not been passed from ACS to ISE, is there any other way (via ISE attributes or any other mapping) to enforce that a member of AD has a specific limit on user sessions?

These would be 802.1x sessions.

A side effect is that if the limit is enforced globaly, all groups (And AD too) are applied, even for tacacs...

Any idea is welcome.

Regards

Gustavo Novais

Mohammed al Baqari · ‎09-04-2017

Yes its possible and you are in the right version. Please see this nice document.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/204463-Configure-Maximum-Concurrent-User-Sessio.html

Please remeber to rate useful posts

Gustavo Novais · ‎09-04-2017

Hi Mohammed,

I was aware of that document but only local groups are listed, no AD groups. The only reference to AD in the document is that external IS users would be subject to the restrictions but do not enumerate how to map AD groups. As for groups, the document clearly states "You are able to configure the enforcment per Group only for the Internal Groups.".

I was wondering if there would be any policy element attribute that would expose current user sessions count to be checked against an AD attribute or even just an integer. Or an alternate way to map AD groups into internal groups.

Thanks

Gustavo

Daniel Stefani · ‎11-27-2017

Hello Gustavo,

Did you found ways to do AD Group mapping and use Max Session to these groups?

Best Regards,

Daniel Stefani

Gustavo Novais · ‎11-27-2017

Hi Daniel,

Not yet. Perhaps our TME friends in the forum can shed some light if at least the feature is foreseen ?

jlhainy · ‎12-05-2017

Hi all,
I have the same issue and the same question. Where is the group mapping feature that I used in ACS? I have opened a TAC case since I am right in the middle of building an ISE environment. It is the one thing I am having a hard time in migrating over. Everything is working as expected, including TACACS. So, I will be posting to you what I find out in my TAC case.

Charly · ‎05-17-2018

Hi,

Any news on this subject ? Did you find a solution ?

Thanks !

Gustavo Novais · ‎05-17-2018

Hello,
No, not yet.

jlhainy · ‎05-17-2018

I have had some discussions with my Cisco account Rep and TAC. Here is what I have learned. I am currently running ISE 2.3. The Max user sessions is applied to ALL users, including users on external groups. So, what we did is we figured since there shouldn't be any users that are on more than one device at a time, we just turned on the setting.

What we have discovered is that when our network monitor logs in via tacacs to our switches, it kills it because it tries to login to many switches with the same creds at the same time and the max user session only allows x amount.

The max user session is global per ise server or ise cube if you have multiple servers clustered. So, what we had to do was build another Ise server for tacacs, with max user sessions off.

According to my Cisco Rep, Getting this setting to work per AD group (in ACS it was called group mapping) is a very low priority and it sounds like Cisco really doesn't care to re-introduce group mapping into ISE due to low demand. This is very unfortunate as we paid a bunch of money to migrate to ISE, only to find that features were taken away.

On top of it all, we are seeing issues where ISE is applying max user sessions even though the client has no sessions and is stopping people from getting on. It appears to be a radius accounting issue of some type and we are working with TAC on it. From a customer perspective, I paid a bunch of money to go to ISE and in return I got headaches and problems. This is not what I pay money for. I am not a fan of ISE at all.