Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2248
Views
6
Helpful
3
Replies

ISE Session Limit on a per SSID level

Arne Bier
VIP
VIP

‎08-31-2020 11:53 PM

Hello

 

I have never used the ISE Max Session feature but I have a customer request to limit the number of times that a user can perform an EAP-PEAP authentication using the same identity (stored in ISE or in AD). I am sure this is easily done if I were to set the Limit to 1 (I know ISE maintains this session counter per-PSN .. but we are not using a load balancer, so this is  less of a concern to me):

 

ise session max.PNG

 

But that is a system-wide command which could impact other authentications where multiple concurrent logins for a user are allowed (e.g. a BYOD SSID using EAP-PEAP ... as an example).

 

Is there another way I could restrict the number of PEAP logins for a user for a particular SSID only, by using this condition in an Authorization Policy? It seems to be possible, but if SessionLimitExceeded is TRUE, then can I still override the System default of 1?

 

ise session exceeded boolean.PNG

 

0 Helpful
3 Replies 3

emmanuel-md1
Level 1
Level 1

‎08-19-2022 09:30 AM

Hi Arne,

I was wondering if you found a way to do this? I having the same challenge now.

 

Thanks, 

Emmanuel.

0 Helpful

thomas
Cisco Employee
Cisco Employee

‎08-20-2022 09:12 AM - edited ‎08-20-2022 09:13 AM

@Arne and @emmanuel-md1 ,

The Max Sessions features is limited to only ISE Internal Users and Identity Groups unfortunately.  There is no other setting or policy option to limit this that I am aware of. 

I would think the Catalyst WLC would offer such a limit for active users per SSID, AP, etc. but not by authentication protocol or other correlations.

As you can see there are a lot of potential correlations (per SSID, per protocol type, per SSID by protocol, etc.) so the best option would probably be to do a custom pxGrid integration with a server process that counts whatever combination you are looking for and perform a CoA on the exceeding sessions.

 

Arne Bier
VIP
VIP
In response to thomas

‎08-21-2022 01:22 PM

I also don't see an immediately obvious/easy way to do this in ISE. It would require some external system to keep track of this kind of session data and then send a CoA to the NAS (or have ISE trigger the CoA). A relatively easy way could be to send SYSLOG data to an external receiver that filters out all RADIUS Accounting records, looking for the Called-Station-ID (which typically contains the SSID) - and if found, keep a table of the connecting EAP clients (User-Name) - if found, then increment a counter if the Calling-Station-ID (MAC Address) is new and if > 1 then use REST API to ISE to send a CoA (if that's even possible).  You'd have to keep an Array of sorts, containing the observed User-Name and the number of times you have seen a unique MAC address. And not to forget to decrement the count when you see Accounting Stop. What could possibly go wrong there ... ??  We might have some sympathy with ISE for how hard it is to keep track of its own sessions - the RADIUS data won't always be that reliable.

Enhancement request to the ISE Business Unit?

 

0 Helpful
Customers Also Viewed These Support Documents