Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
11486
Views
0
Helpful
9
Replies

Maximum Concurrent User Sessions

Go to solution
nikhilcherian
Level 5
Level 5

ā€Ž09-30-2018 11:02 AM

I am trying to understand the Maximum Concurrent User Sessions from the below link & in my network

 

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/204463-Configure-Maximum-Concurrent-User-Sessio.html

 

As per the link, I understand once the guest user maximum limit is reached, the new device which tries to login should not be allowed to access network( based on newest or oldest connection configured ).

 

I configured maximum session as 2 & when my 3rd client tries to login, the user is given a warning saying "maximum number of clients is reached, do you wish to continue. " The moment continue is pressed, the 1st logged in MAC address is deleted from the ISE database. However all the 3 clients still continue to access wireless network 

 

Is this expected

Regards

Nikhil

 

0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

ā€Ž09-30-2018 12:18 PM

How are you authorizing guest endpoints? If you have a rule that permits guest endpoints access then it wonā€™t matter if youā€™re using max concurrent user sessions. This only applies to devices that consistently login thru the guest portal

Read the remember me section of the guest deployment guide

https://community.cisco.com/t5/security-documents/ise-guest-access-deployment-guide/ta-p/3640475

View solution in original post

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to nikhilcherian

ā€Ž10-01-2018 05:15 AM

The 2 arenā€™t supposed to work together as likely there is no mechanism to kick the user off if the device is not currently in the guest flow (remember me which is straight mab)
Removing from guest endpoint group likely wonā€™t remove the device radius session

Would recommend instead you disable remember me if you want that functionality
Or only allow them to register a few devices

View solution in original post

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to nikhilcherian

ā€Ž10-02-2018 04:44 AM

Please work through the tac. Your experience doesnā€™t sound right

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

ā€Ž09-30-2018 12:18 PM

How are you authorizing guest endpoints? If you have a rule that permits guest endpoints access then it wonā€™t matter if youā€™re using max concurrent user sessions. This only applies to devices that consistently login thru the guest portal

Read the remember me section of the guest deployment guide

https://community.cisco.com/t5/security-documents/ise-guest-access-deployment-guide/ta-p/3640475
0 Helpful

Go to solution
nikhilcherian
Level 5
Level 5
In response to Jason Kunst

ā€Ž09-30-2018 08:40 PM

Hi Jason, 

 

Thank you for the quick  reply. 

 

Yes I have configured remember me ( MAB) option, so that the users don't have to login again. However, I didn't understand how this is related to my issue. In my guest portal, I have mentioned to delete the Newest Connection & ISE is deleting the oldest mac from ENDpoint group & all 3 devices are still connected to the network

 

I have also created a rule for Max Session Reached, redirect to the Web-auth page. This is also not working . May be I am missing something, let me know 

 

Regards

Nikhil

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to nikhilcherian

ā€Ž10-01-2018 05:15 AM

The 2 arenā€™t supposed to work together as likely there is no mechanism to kick the user off if the device is not currently in the guest flow (remember me which is straight mab)
Removing from guest endpoint group likely wonā€™t remove the device radius session

Would recommend instead you disable remember me if you want that functionality
Or only allow them to register a few devices
0 Helpful

Go to solution
nikhilcherian
Level 5
Level 5
In response to Jason Kunst

ā€Ž10-01-2018 06:23 AM

Below are things which I tried

  1. I have configured guest portal with max 2 user session allowed
  2. I have configured mab to do remember me 
  3. I have set the max user session to 2 & disconnect the newest connection
  4. I have connected 2 users & both users haven't disconnected from the first connection
  5. As per point #4, I expect the users are in the GUESTFLOW, with a RADIUS session & not a MAB flow
  6. My 3rd user comes in ( I hope the 3rd user will be using GUEST user initially) & user is given warning of max device limit reached & the user click on the button to "Continue"
  7. When the 3rd user comes in, 1st MAC is removed when I click on continue. I don't think, this is in agreement with my max user session 
  8. ISE also send a CoA to disconnect the 3rd client, which is expected as per the point #3

End result I get all the users in the network, which is not in agreement with the configuration

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to nikhilcherian

ā€Ž10-01-2018 06:07 AM

I haven't tested this recently, but if you set your maximum registered endpoints to 2 and a person tries to connect a 3rd one, the very first one should be deleted from the endpoint identity group.  You should easily be able to see that by looking at the endpoints on the Context Visibility screen.  Now just because an endpoint is deleted from the endpoint identity group doesn't mean they are kicked off wireless.  That is two different things.  You would have to remove them from the SSID on the WLC and see if ISE allows them to connect back again.  They should get sent back to the portal on that first MAC address.

0 Helpful

Go to solution
nikhilcherian
Level 5
Level 5
In response to paul

ā€Ž10-01-2018 06:25 AM

when I have selected the " Disconnect the newest connection " why the ISE is deleting the oldest mac 

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to nikhilcherian

ā€Ž10-02-2018 04:44 AM

Please work through the tac. Your experience doesnā€™t sound right
0 Helpful

Go to solution
nikhilcherian
Level 5
Level 5
In response to Jason Kunst

ā€Ž10-02-2018 05:02 AM

The bug was shared with me by the TAC

0 Helpful
Customers Also Viewed These Support Documents