03-09-2018 12:23 PM
University with ISE for Wireless deployment using 802.1x using to AD domains one for students and another for faculty, they need to limit their devices to only 2 and faculty to 4. ISE can only set device limit as a global parameter and cannot be set per group policy,
Usually students sometimes login from more than 4 or 5 devices per day and sometimes their credentials show more than 50 devices.
the university want to only allow 2 devices logged-in within 24 hours, even if student logout, they can only login with same authenticated devices for that day. Any idea or suggestions?
03-09-2018 09:12 PM
You can limit the number of concurrent sessions per user in a group and have different limits for each group. So you can have a Students group with maximum sessions per users set to 2 and a Faculty group with maximum sessions per user set to 4.
See the following for configuration details:
Configure Maximum Concurrent User Sessions on ISE 2.2 - Cisco
03-13-2018 08:14 AM
The max concurrent sessions added in ISE 2.2 can be considered but it's per PSN and not tying to the same authenticated devices.
ISE BYOD is currently has only one device limit but not by groups, as you already found. Perhaps, you may give faculty two user accounts each?
With ISE MyDevices portals, the users can manage the device registration themselves. If the university wants to limit login with the same authenticated devices for that day, then MyDevices portal access needs to be restricted, as well.
Another idea is to use ISE guest services instead. ISE is limiting device registration and concurrent sessions per guest types.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide