Solved: ISE Max Sessions feature for 802.1X auth

Arne Bier · ‎03-12-2018

Hello

I am looking for the ability to limit the number of concurrent user authentications for 802.1X (EAP-TLS) sessions from the same user. I thought of using the Max Sessions feature below

After reading an earlier thread on this ISE Feature on Max user session policy I was unsure whether this would work or not.

What is unclear from the ISE GUI and of course from the Admin Guide, is WHAT constitutes a 'session' (what Radius attributes are used) ?

How can I see how many sessions a user has already consumed?

hslai · ‎03-14-2018

ISE RADIUS sessions are keying off by Endpoint IDs, which is either the Calling-Station-ID's or the MAC addresses in case AnyConnect VPN module and ASA able to get that info to ISE. Configure Maximum Concurrent Sessions has the info on ISE max sessions.

If max sessions per user set to 5 sessions while unlimited per group, then the same user-name allowed up to 5 on the same PSN.

Yes, RADIUS accounting stop will remove the sessions in ISE session directory. On the other hand, counter time limit will clear the counters but no effect on the sessions.

We do not discuss roadmaps in this forum.

View solution in original post

hslai · ‎03-13-2018

This feature is per-PSN so you may check the active session report and group the session by PSN and by username.

Arne Bier · ‎03-13-2018

Is there a clear definition of what attributes make up a unique session? e.g. I would assume the key index would be the User-Name? If Max Sessions is set to 5, then authentication will be allowed for 5 unique Authentications where the User-Name is the same, but where the Calling-Station-Id is unique - is that about right?

And are session counts decremented by Accounting Stop? I see there is a Counter Time Limit which I could use to age out the sessions if no accounting records sent?

This is not a roadmap question ... but has it been considered/discussed before to make this Max sessions across all PSN's in a deployment? This would make sense in cases where PSN's are behind a load balancer and we can't easily steer a user to one PSN to enforce that limit.

hslai · ‎03-14-2018

ISE RADIUS sessions are keying off by Endpoint IDs, which is either the Calling-Station-ID's or the MAC addresses in case AnyConnect VPN module and ASA able to get that info to ISE. Configure Maximum Concurrent Sessions has the info on ISE max sessions.

If max sessions per user set to 5 sessions while unlimited per group, then the same user-name allowed up to 5 on the same PSN.

Yes, RADIUS accounting stop will remove the sessions in ISE session directory. On the other hand, counter time limit will clear the counters but no effect on the sessions.

We do not discuss roadmaps in this forum.

Nick3 · ‎07-22-2019

Is their a way to get the max session for group and max session for user in group work with external identity stores?

From the TechNotes it sounds like it works only for internal identity, please confirm if this only works for internal identity.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/204463-Configure-Maximum-Concurrent-User-Sessio.html#anc10

If so, besides BYOD, are there other options to restrict sessions from an external identity source?

hslai · ‎07-22-2019

Correct. This is currently for Internal Users only.

phyowaitun · ‎06-04-2021

Dear friends and experts,

I am using ISE V3.0. In this version, Can i limit Max session users/groups for AD ?

Best and regards,

Phyo.