09-04-2017 02:06 AM - edited 02-21-2020 10:33 AM
Hello,
I'm looking for a way to implement max sessions for group/user, but usgin AD groups. Since the group mapping features have not been passed from ACS to ISE, is there any other way (via ISE attributes or any other mapping) to enforce that a member of AD has a specific limit on user sessions?
These would be 802.1x sessions.
A side effect is that if the limit is enforced globaly, all groups (And AD too) are applied, even for tacacs...
Any idea is welcome.
Regards
Gustavo Novais
09-04-2017 06:18 AM
Yes its possible and you are in the right version. Please see this nice document.
Please remeber to rate useful posts
09-04-2017 12:31 PM - edited 09-04-2017 12:33 PM
Hi Mohammed,
I was aware of that document but only local groups are listed, no AD groups. The only reference to AD in the document is that external IS users would be subject to the restrictions but do not enumerate how to map AD groups. As for groups, the document clearly states "You are able to configure the enforcment per Group only for the Internal Groups.".
I was wondering if there would be any policy element attribute that would expose current user sessions count to be checked against an AD attribute or even just an integer. Or an alternate way to map AD groups into internal groups.
Thanks
Gustavo
11-27-2017 03:47 AM
Hello Gustavo,
Did you found ways to do AD Group mapping and use Max Session to these groups?
Best Regards,
Daniel Stefani
11-27-2017 06:30 AM
12-05-2017 03:18 PM
05-17-2018 05:55 AM
Hi,
Any news on this subject ? Did you find a solution ?
Thanks !
05-17-2018 05:57 AM
05-17-2018 07:24 AM
I have had some discussions with my Cisco account Rep and TAC. Here is what I have learned. I am currently running ISE 2.3. The Max user sessions is applied to ALL users, including users on external groups. So, what we did is we figured since there shouldn't be any users that are on more than one device at a time, we just turned on the setting.
What we have discovered is that when our network monitor logs in via tacacs to our switches, it kills it because it tries to login to many switches with the same creds at the same time and the max user session only allows x amount.
The max user session is global per ise server or ise cube if you have multiple servers clustered. So, what we had to do was build another Ise server for tacacs, with max user sessions off.
According to my Cisco Rep, Getting this setting to work per AD group (in ACS it was called group mapping) is a very low priority and it sounds like Cisco really doesn't care to re-introduce group mapping into ISE due to low demand. This is very unfortunate as we paid a bunch of money to migrate to ISE, only to find that features were taken away.
On top of it all, we are seeing issues where ISE is applying max user sessions even though the client has no sessions and is stopping people from getting on. It appears to be a radius accounting issue of some type and we are working with TAC on it. From a customer perspective, I paid a bunch of money to go to ISE and in return I got headaches and problems. This is not what I pay money for. I am not a fan of ISE at all.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide