cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

881
Views
0
Helpful
3
Replies
ben.posner
Beginner

ISE Guest - Configure Maximum Simultaneous Logins for Endpoint Users

Has anyone got the configuration for ISE to limit the maximum simultaneous logins for endpoint users? I'm trying to limit the number of sessions our guest wireless accounts can have and am getting partial success.

 

example Wireless guest type i'm using has a session limit of 3.  in the guest type setup it mentions that you need to check the online help for details on how to build an authZ policy to enforce this. it details setting up an authZ rule that uses the NetworkAccess.SessionLimitExceeded attribute and then setting up a new web redirection. I have done all this and can see in my Live Logs that the 4th login attempt for the guest user IS hitting the new authZ rule for the Session Limit Exceeded attribute and is supposed to be sent the new web redirection. all data from ISE points to this working correctly, except its not. the user gets in, does not get sent to page saying they've hit the limit and then are disconnected 30 seconds later due to the reauthentication timer setup in the authZ result.

 

so it seems like ISE is doing what its supposed to but my WLC's aren't. they are acknowledging the new reauth timer but NOT the URL redirect for the user.

 

 

3 REPLIES 3
ben.posner
Beginner

AuthZ PolicyAuthZ Policy

 

LiveLog.jpg

 

livelog-detail.jpg

 

wlc-session.jpg

Addendum: I figured that my guest wifi config might be part of the problem. We use Anchors to send the guest ssid to a separate WLC behind a firewall for guest internet access. thought this might be complicating things so i re-configured my guest-test ssid to stay local to the WLC the test WAP is attached to.

 

and after an error getting thrown to me by the browser being unable to access the successful login page redirect and hitting refresh i got sent to the CWA portal and i'm seeing the notification i was expecting! so this seems to be a mobility anchor complication.

success-local.jpg

 

addendum 2: moved test WAP and test SSID to the other WLC in the anchor setup and the redirect works there as well so it doesn't seem to be an ACL issue. both WLCs work when setup individually but when in Anchor mode they do not... strange. anyone have any ideas?

 

so this still doesn't work in a production Anchor configuration but will work with ssids running on single WLC setups. so still need help with this since i need it to work with my anchor setup.

Content for Community-Ad