Solved: Re: ISE 2.2 Max Sessions with distributed PSNs

Greg Gibbs · ‎04-11-2018

Hi TME team,

I just need to confirm if there are any caveats related to multiple PSNs and a load balancer with the new ISE 2.2 feature for Max Sessions.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/204463-Configure-Maximum-Concurrent-User-Sessio.html

Does this feature still work correctly if multiple user/endpoint sessions happen to be sent to different PSNs by the load balancer?

hslai · ‎04-12-2018

This feature is currently per PSN but not globally. Global limits are in road map.

View solution in original post

hslai · ‎04-12-2018

This feature is currently per PSN but not globally. Global limits are in road map.

Greg Gibbs · ‎04-12-2018

Thanks Hsing for the quick response.

Maybe we can add a sticky rule in the F5 to send all sessions with the same RADIUS username to the same PSN.

Do you think that might be a valid workaround for the current limitation?

hslai · ‎04-12-2018

Yes, I believe your workaround should help.

Greg Gibbs · ‎04-13-2018

chyps, I wanted to run this by you since you have prior experience from writing the how-to guide with F5.

I was thinking about trying the following persistence logic in the F5 to work around this Max Session limitation in ISE.

if framed-protocol, then use username as persistence identifier

if not framed-protocol, then use calling-station-id with fallback to nas-ip-address as persistence identifier

Do you think this is feasible to do with an iRule?

If so, do you foresee any issues with this persistence config for any ISE flows?

The customer is deploying wired/wireless dot1x and wireless Guest, but no BYOD or Posture flows.

Craig Hyps · ‎04-16-2018

Since LB is not terminating the RADIUS session, I question if username will be available or consistent for Framed (802.1X) flows. For PEAP, the inner identity is not exposed and what is exposed is outer identity. For EAP-TLS, the username is often an logical extract from cert field.

Greg Gibbs · ‎04-17-2018

Thanks Craig. You make a good point.

It sounds like we might have to just change the persistence identifier to use the NAS-IP. It won't provide as much balancing as using the Calling-Station-ID, but it might be the best way to workaround this Max Sessions limitation for the Wireless endpoints.

Is that a fair statement, or can you think of anything else we can use as a persistence ID on the F5 to accomplish this?

Craig Hyps · ‎04-18-2018

Assuming same device used, then same user should be persisted to same PSN via Calling Station ID. As noted, there is a roadmap item. Plan is to extend feature to node group/PSN cluster but details and timing need to be communicated privately by ISE PM team.

Greg Gibbs · ‎04-18-2018

Thanks Craig. We're trying to ensure that sessions using different endpoints with the same username are stuck to the same PSN to be limited by the Max Sessions settings (particularly on Wireless), so it sounds like we'll have to use the NAS-IP for persistence ID.

I'll contact the ISE PMs for info on roadmap.