cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1092
Views
4
Helpful
8
Replies

ISE 2.2 Max Sessions with distributed PSNs

Greg Gibbs
Cisco Employee
Cisco Employee

Hi TME team,

I just need to confirm if there are any caveats related to multiple PSNs and a load balancer with the new ISE 2.2 feature for Max Sessions.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/204463-Configure-Maximum-Concurrent-User-Sessio.html

Does this feature still work correctly if multiple user/endpoint sessions happen to be sent to different PSNs by the load balancer?

1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

This feature is currently per PSN but not globally. Global limits are in road map.

View solution in original post

8 Replies 8

hslai
Cisco Employee
Cisco Employee

This feature is currently per PSN but not globally. Global limits are in road map.

Thanks Hsing for the quick response.

Maybe we can add a sticky rule in the F5 to send all sessions with the same RADIUS username to the same PSN.

Do you think that might be a valid workaround for the current limitation?

Yes, I believe your workaround should help.

Greg Gibbs
Cisco Employee
Cisco Employee

chyps, I wanted to run this by you since you have prior experience from writing the how-to guide with F5.

I was thinking about trying the following persistence logic in the F5 to work around this Max Session limitation in ISE.

if framed-protocol, then use username as persistence identifier

if not framed-protocol, then use calling-station-id with fallback to nas-ip-address as persistence identifier

Do you think this is feasible to do with an iRule?

If so, do you foresee any issues with this persistence config for any ISE flows?

The customer is deploying wired/wireless dot1x and wireless Guest, but no BYOD or Posture flows.

Since LB is not terminating the RADIUS session, I question if username will be available or consistent for Framed (802.1X) flows.  For PEAP, the inner identity is not exposed and what is exposed is outer identity.  For EAP-TLS, the username is often an logical extract from cert field.

Thanks Craig. You make a good point.

It sounds like we might have to just change the persistence identifier to use the NAS-IP. It won't provide as much balancing as using the Calling-Station-ID, but it might be the best way to workaround this Max Sessions limitation for the Wireless endpoints.

Is that a fair statement, or can you think of anything else we can use as a persistence ID on the F5 to accomplish this?

Assuming same device used, then same user should be persisted to same PSN via Calling Station ID. As noted, there is a roadmap item.  Plan is to extend feature to node group/PSN cluster but details and timing need to be communicated privately by ISE PM team.

Thanks Craig. We're trying to ensure that sessions using different endpoints with the same username are stuck to the same PSN to be limited by the Max Sessions settings (particularly on Wireless), so it sounds like we'll have to use the NAS-IP for persistence ID.

I'll contact the ISE PMs for info on roadmap.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: