cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9257
Views
0
Helpful
9
Replies

Maximum Concurrent User Sessions

nikhilcherian
Level 5
Level 5

I am trying to understand the Maximum Concurrent User Sessions from the below link & in my network

 

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/204463-Configure-Maximum-Concurrent-User-Sessio.html

 

As per the link, I understand once the guest user maximum limit is reached, the new device which tries to login should not be allowed to access network( based on newest or oldest connection configured ).

 

I configured maximum session as 2 & when my 3rd client tries to login, the user is given a warning saying "maximum number of clients is reached, do you wish to continue. " The moment continue is pressed, the 1st logged in MAC address is deleted from the ISE database. However all the 3 clients still continue to access wireless network 

 

Is this expected

Regards

Nikhil

 

3 Accepted Solutions

Accepted Solutions

Jason Kunst
Cisco Employee
Cisco Employee
How are you authorizing guest endpoints? If you have a rule that permits guest endpoints access then it won’t matter if you’re using max concurrent user sessions. This only applies to devices that consistently login thru the guest portal

Read the remember me section of the guest deployment guide

https://community.cisco.com/t5/security-documents/ise-guest-access-deployment-guide/ta-p/3640475

View solution in original post

The 2 aren’t supposed to work together as likely there is no mechanism to kick the user off if the device is not currently in the guest flow (remember me which is straight mab)
Removing from guest endpoint group likely won’t remove the device radius session

Would recommend instead you disable remember me if you want that functionality
Or only allow them to register a few devices

View solution in original post

Please work through the tac. Your experience doesn’t sound right

View solution in original post

9 Replies 9

Jason Kunst
Cisco Employee
Cisco Employee
How are you authorizing guest endpoints? If you have a rule that permits guest endpoints access then it won’t matter if you’re using max concurrent user sessions. This only applies to devices that consistently login thru the guest portal

Read the remember me section of the guest deployment guide

https://community.cisco.com/t5/security-documents/ise-guest-access-deployment-guide/ta-p/3640475

Hi Jason, 

 

Thank you for the quick  reply. 

 

Yes I have configured remember me ( MAB) option, so that the users don't have to login again. However, I didn't understand how this is related to my issue. In my guest portal, I have mentioned to delete the Newest Connection & ISE is deleting the oldest mac from ENDpoint group & all 3 devices are still connected to the network

 

I have also created a rule for Max Session Reached, redirect to the Web-auth page. This is also not working . May be I am missing something, let me know 

 

Regards

Nikhil

The 2 aren’t supposed to work together as likely there is no mechanism to kick the user off if the device is not currently in the guest flow (remember me which is straight mab)
Removing from guest endpoint group likely won’t remove the device radius session

Would recommend instead you disable remember me if you want that functionality
Or only allow them to register a few devices

Below are things which I tried

  1. I have configured guest portal with max 2 user session allowed
  2. I have configured mab to do remember me 
  3. I have set the max user session to 2 & disconnect the newest connection
  4. I have connected 2 users & both users haven't disconnected from the first connection
  5. As per point #4, I expect the users are in the GUESTFLOW, with a RADIUS session & not a MAB flow
  6. My 3rd user comes in ( I hope the 3rd user will be using GUEST user initially) & user is given warning of max device limit reached & the user click on the button to "Continue"
  7. When the 3rd user comes in, 1st MAC is removed when I click on continue. I don't think, this is in agreement with my max user session 
  8. ISE also send a CoA to disconnect the 3rd client, which is expected as per the point #3

End result I get all the users in the network, which is not in agreement with the configuration

I haven't tested this recently, but if you set your maximum registered endpoints to 2 and a person tries to connect a 3rd one, the very first one should be deleted from the endpoint identity group.  You should easily be able to see that by looking at the endpoints on the Context Visibility screen.  Now just because an endpoint is deleted from the endpoint identity group doesn't mean they are kicked off wireless.  That is two different things.  You would have to remove them from the SSID on the WLC and see if ISE allows them to connect back again.  They should get sent back to the portal on that first MAC address.

when I have selected the " Disconnect the newest connection " why the ISE is deleting the oldest mac 

Please work through the tac. Your experience doesn’t sound right

The bug was shared with me by the TAC