Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1517
Views
35
Helpful
5
Replies

Issue with max session limit and 3rd party NAD after abnormal session

patrick.kofler
Level 1
Level 1

‎09-23-2021 05:13 AM

Hi all,

 

I encountered a weird issue today.

One of our clusters is running ISE 2.6 Patch 8 and is authenticating wireless clients that are connecting over a 3rd party NAD.

A session limit is imposed on users to only be able to connect with a certain number of devices and the same credentials.

The switch where the 3rd party APs are connected to experienced a power loss also affecting the APs due to PoE. This means there was no normal session termination. After they returned the user tried to connect their devices. The first one goes online, but the second device is running into the session limit, which is actually below the max limit. When I checked the live sessions as well as the active user reports I could only see the first device. AFAIK ISE also purges any old entries every 15 minutes. During testing we were already past that and it still did not allow the authentication to succeed

 

Some additional information, which I think is relevant:

The first device is authenticating via certificate over an external identity store. The second device authenticates via username and password from ISE's internal database.

Normally external identity stores do not count towards the max session limit. However, as I have recently learned, the max session limit does affect external identity stores as soon as the username matches with a username from the internal DB. This is the case.

So far this is the first time I encountered this issue. I cannot even say if it would also happen with Cisco APs. Also, what is the attribute that gets counted towards the session limit. MAC Address, Audit-Session-ID or something else?

Thanks

 

Best Regards,

Patrick

5 Replies 5

Marcelo Morais
VIP
VIP

‎09-23-2021 07:52 AM

Hi @patrick.kofler ,

 please take a look at: Configure Maximum Concurrent User Sessions on ISE 2.2., search for Scenarios (Maximum Sessions per User and Maximum Session for Group).

"... ISE version 2.2 can detect and build enforcement policy based on the concurrent session of:

User Identity - limit number of sessions per specific user
Identity Group - limit number of sessions per specific group
User in a Group - limit number of sessions per user, that belongs to specific group..."

For User Identity:

"... To enable the feature (Maximum Sessions per User), uncheck Unlimited session per user checkbox, which is checked by default. In the Maximum per User Sessions field configure number of sessions specific user can have on each PSN...

Users from External Identity Sources (for example Active Directory) are affected by this configuration as well..."

For Identity Group:

"...This configuration (Maximum Session for Group) enforces 2 sessions as a maximum for Internal Identity Group GroupTest2: You are able to configure the enforcement per Group only for the Internal Groups..."

For User in a Group:

"... Corner Cases

If User Maximum Sessions is configured, both features work independently. In this example, User Max Sessions is set to 1 and Maximum Session for Group is set to 2... If the User is member of more than one Group at the same time and the Max Sessions for Group is configured for them, once connected ISE increases the counter of Max Session for Group cache for every group the user belongs to..."

 

Also take a look at this: CSCvv14390 Max Sessions Limit is not working for Users and Groups.

Symptom:
"... any basic max session policy gets ignored as it allows more sessions with the same account connected at the same time."
Known Affected Releases:
2.4(0.911), 2.6(0.908), 2.7(0.356), 3.0(0.902)
Known Fixed Releases:
3.0.0.458-Patch3, 2.7.0.356-Patch4, 2.6.0.156-Patch9, 2.4.0.357-Patch14

 

Hope this helps !!!

patrick.kofler
Level 1
Level 1
In response to Marcelo Morais

‎09-23-2021 11:18 PM

Hi @Marcelo Morais ,

 

thank you for the suggestion. The settings are unlimited for user, but limited at the group level. The user is only member of this one group with the limit.

The bug suggests the opposite of our problem. Instead of ignoring the max session limit the user could not go over one device, although the session limit is higher.

 

Best Regards,

Patrick

Marcelo Morais
VIP
VIP
In response to patrick.kofler

‎09-24-2021 03:16 PM

Hi @patrick.kofler ,

 ISE increments the SessionCounter only after it receives Accounting Start for the session:

 

2017-01-29 08:33:11,619 DEBUG [Thread-90][] cisco.cpm.prrt.impl.PrRTLoggerImpl -:::::- Radius,DEBUG,0x7fe858766700,cntx=0000001503,sesn=pgruszczise22/275051099/9,CPMSessionID=0a3e944f00000e7d588da8a0,CallingStationID=c0-4a-00-14-56-f4,FramedIPAddress=10.62.148.141,RADIUS PACKET:: Code=4(AccountingRequest) Identifier=0 Length=279
[1] User-Name - value: [Bob] 
...
[40] Acct-Status-Type - value: [Start] 
[44] Acct-Session-Id - value: [588da8a0/c0:4a:00:14:56:f4/3789]
...

Max Session logs are located in the prrt-server.log. Set runtime-AAA component to DEBUG level (Administration > System > Logging > Debug Log Configuration > PSN) and check the result:

 

ise/admin# show logging application prrt-server.log
...
2017-01-29 08:33:11,655 DEBUG [Thread-83][] cisco.cpm.prrt.impl.PrRTLoggerImpl -:::::- SessionCache,DEBUG,0x7fe858867700,cntx=0000001503,sesn=pgruszczise22/275051099/9,CPMSessionID=0a3e944f00000e7d588da8a0,user=Bob,CallingStationID=c0-4a-00-14-56-f4,FramedIPAddress=10.62.148.141,SessionCache::incrementSessionCounters: user=[Bob] current user session count=[1],SessionCache.cpp:862
2017-01-29 08:37:00,535 INFO [Thread-75][] cisco.cpm.prrt.impl.PrRTLoggerImpl -:::::- SessionCache,INFO ,0x7fe858a69700,cntx=0000005011,sesn=pgruszczise22/275051099/15,CPMSessionID=0a3e944f00000e7f588da966,user=Bob,CallingStationID=34-ab-37-60-63-88,SessionCache::checkMaxSessions: user=[Bob] is not authorized because current active user sessions=[2] >= max-user-sessions=[2],SessionCache.cpp:1010

 

Please use this troubleshooting to check what is happening in your case.

 

Hope this helps !!!

hslai
Cisco Employee
Cisco Employee

‎09-24-2021 05:11 PM

The session counts can be reset per user.

 

Screen Shot 2021-09-24 at 5.06.37 PM.png

patrick.kofler
Level 1
Level 1

‎09-26-2021 11:21 PM

Thanks for all your inputs! I will try those steps the next time it occurs and will post my findings afterwards. Thanks again!

 

Best Regards,

Patrick

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents