Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
744
Views
1
Helpful
5
Replies

ISE with F5 and Concurrent Sessions per User

Go to solution
Teymur Aghayev
Level 1
Level 1

‎12-11-2023 01:28 AM

Hi Team,

I am, currently in the process of designing a network that requires specific limitations on the number of concurrent sessions per user, for example 3 sessions for regular employees and 6 sessions for managers. My understanding is that ISE can manage concurrent sessions per PSN node. However, in our configuration we have PSNs behind F5 load balancers.

So, as I understand, we need to ensure that all RADIUS requests for the same user are directed to the same PSN, additionally, we need to ensure that all RADIUS packets with the same Calling-Station-ID are also routed to the same PSN. 

Is my understanding right and if yes how it can be implemented effectively.

Upon reviewing the available documentation and support community topics, I have not been able to find a solution that specifically addresses this requirement.

Thank you

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ahollifield
VIP
VIP
In response to Teymur Aghayev

‎12-12-2023 04:41 AM

Administration > System > Settings > Max Sessions

View solution in original post

5 Replies 5

Go to solution
ahollifield
VIP
VIP

‎12-11-2023 05:31 AM

Where are the users?  Local on ISE?  AD?  SAML IDP?  Somewhere else? 

Also what are the use-cases?  Wired?  Wireless?  VPN?  What is the auth method?  Certificates?  username/password?  Machine and/or user authentication?

https://community.cisco.com/t5/security-documents/how-to-ask-the-community-for-help/ta-p/3704356

0 Helpful

Go to solution
Teymur Aghayev
Level 1
Level 1
In response to ahollifield

‎12-12-2023 03:28 AM

The users are storred localy in ISE.

Access method is Wireless

Auth is 802.1x username/password

0 Helpful

Go to solution
ahollifield
VIP
VIP
In response to Teymur Aghayev

‎12-12-2023 04:41 AM

Administration > System > Settings > Max Sessions

Go to solution
Teymur Aghayev
Level 1
Level 1

‎12-14-2023 04:21 AM

The primary concern in our network setup is ensuring that RADIUS requests from the same user consistently land on the same PSN when routed through F5 load balancers. This is crucial for the proper functioning of the Max Sessions feature in Cisco ISE, which operates on a per-PSN basis. We are looking for a solution that guarantees this consistent routing. Additionally, we need to manage RADIUS packets with the same Calling-Station-ID in a similar manner, ensuring they are also directed to the same PSN.

0 Helpful

Go to solution
ahollifield
VIP
VIP
In response to Teymur Aghayev

‎12-14-2023 04:33 AM

You should be able to do both of these things with F5 persistence in an irule. You can match on the username for example.
0 Helpful
Top