Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6940
Views
10
Helpful
15
Replies

multiple session with single username ISE3.0 in wired connection

Go to solution
shrijan
Level 1
Level 1

‎09-08-2021 01:22 AM

Hello Everyone,

 

Let say i have created user "cafe" and i want to use same username in multiple desktops as dot1x. authentication, is it possible?

 

I am using ISE 3.0

 

Thanks.

Shrijan

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcelo Morais
VIP
VIP
In response to shrijan

‎09-10-2021 04:18 AM

Hi @shrijan ,

 what you said, makes sense to me.

 Please take a look at: Configure Maximum Concurrent User Sessions on ISE 2.2., search for Scenarios (Maximum Sessions per User and Maximum Session for Group).

"... ISE version 2.2 can detect and build enforcement policy based on the concurrent session of:

User Identity - limit number of sessions per specific user
Identity Group - limit number of sessions per specific group
User in a Group - limit number of sessions per user, that belongs to specific group..."

For User Identity:

"... To enable the feature (Maximum Sessions per User), uncheck Unlimited session per user checkbox, which is checked by default. In the Maximum per User Sessions field configure number of sessions specific user can have on each PSN...

Users from External Identity Sources (for example Active Directory) are affected by this configuration as well..."

For Identity Group:

"...This configuration (Maximum Session for Group) enforces 2 sessions as a maximum for Internal Identity Group GroupTest2: You are able to configure the enforcement per Group only for the Internal Groups..."

For User in a Group:

"... Corner Cases

If User Maximum Sessions is configured, both features work independently. In this example, User Max Sessions is set to 1 and Maximum Session for Group is set to 2... If the User is member of more than one Group at the same time and the Max Sessions for Group is configured for them, once connected ISE increases the counter of Max Session for Group cache for every group the user belongs to..."

 

Hope this helps !!!

View solution in original post

15 Replies 15

Go to solution
Amine ZAKARIA
Spotlight
Spotlight

‎09-08-2021 01:47 AM - edited ‎09-08-2021 01:50 AM

@shrijan ,

 

Yes it is possible, you don't have to enable anything, by default the maximum concurrent user is unlimited(Assuming the user is internal).

 

Hope that helps!

0 Helpful

Go to solution
shrijan
Level 1
Level 1
In response to Amine ZAKARIA

‎09-08-2021 03:00 AM

Hi Amine,

 

Yes you are right when i checked user maximum session it is unlimited by default. But still it is not working..

 

Any clue..

 

Thanks.

 

Regards,

Shrijan

0 Helpful

Go to solution
Amine ZAKARIA
Spotlight
Spotlight
In response to shrijan

‎09-08-2021 03:32 AM

@shrijan ,

 

What does the RADIUS live logs shows ?

 

 

0 Helpful

Go to solution
shrijan
Level 1
Level 1
In response to Amine ZAKARIA

‎09-08-2021 04:51 AM

@Amine

It shows:

Event : 5400 Authentication failed

Failure Reason: 22089 New user session not permitted. Max sessions user limit has been reached

0 Helpful

Go to solution
Amine ZAKARIA
Spotlight
Spotlight
In response to shrijan

‎09-08-2021 05:14 AM - edited ‎09-08-2021 05:15 AM

@shrijan ,

 

Can you confirm that's no change in Max Sessions User/Group ?

Did you try to Set max sessions for like 10 sessions?

 

GROUPS.JPG

GROUPS.JPG

0 Helpful

Go to solution
shrijan
Level 1
Level 1
In response to Amine ZAKARIA

‎09-09-2021 12:19 AM

@Amine

hmm under User tab instead of unlimited i have set to 1..  and under Group tab i have set to unlimited.

 

 

 

Now let say if with my same setting single username, if i cannot connect multiple PCs with wired or dot1x then how come with same settings in User, session as 1 and Group tab, session as unlimited, single username is working for 10 mobile devices in wireless.

 

Thanks..

 

Shrijan

Preview file
45 KB
0 Helpful

Go to solution
Amine ZAKARIA
Spotlight
Spotlight
In response to shrijan

‎09-09-2021 12:37 AM

@shrijan ,

 

So after changing to Unlimited did it resolve your problem?

 

Which method are you authenticating to wireless ? through the guest portal ? or EAP tunneled method ?

 

--

Don't forget to rate helpful posts.

0 Helpful

Go to solution
shrijan
Level 1
Level 1
In response to Amine ZAKARIA

‎09-09-2021 12:58 AM

@Amine,

I have not tried by changing to unlimited yet..duh..

For wireless authentication, for AD group(Domain) i am using EAP and for those people who not staff or simply not in AD, i am using Guest Portal.

hmm How come, still confused, one username is working for wireless and not for wired with the setting 1 session per user and unlimited session in group?

 

Thanks.

Shrijan

Preview file
45 KB
0 Helpful

Go to solution
Amine ZAKARIA
Spotlight
Spotlight
In response to shrijan

‎09-09-2021 01:36 AM

@shrijan ,

 

If you are using Guest Portal (Self Registered Or Sponsor Portal), please go to Work Centers -> Guest Access -> Portal & Components -> Guest Types choose the Guest Type associated with that Portal and verify this option :

 

GROUPS.JPG

--

Don't forget to rate helpful posts.

0 Helpful

Go to solution
shrijan
Level 1
Level 1
In response to Amine ZAKARIA

‎09-09-2021 01:54 AM

@Amine

 

Thanks for the reply but looks like we are going off the topic.

 

I was asking single or same username i cannot use in wired network for more than one device. For wired i have configured 802.1x and MAB as failover.

 

Where as single or same username i can use for wireless mobile. Though the settings i have is 1 session per user and unlimited for Group but still i can have multiple session for mobile devices meaning one username password can connect with multiple mobile devices .

 

Thanks.

Shrijan

0 Helpful

Go to solution
Marcelo Morais
VIP
VIP
In response to shrijan

‎09-09-2021 07:01 AM

Hi @shrijan ,

 the Failure Reason 22089 is a message from the Authentication Flow Diagnostic, please check the Operations > Reports > Reports > Diagnostics > AAA Diagnostics for more details.

 

Hope this helps !!!

0 Helpful

Go to solution
Marcelo Morais
VIP
VIP
In response to Marcelo Morais

‎09-09-2021 04:22 PM

Hi @shrijan ,

 also take a look at this: CSCvv14390 Max Sessions Limit is not working for Users and Groups.

Symptom:
"... any basic max session policy gets ignored as it allows more sessions with the same account connected at the same time."
Known Affected Releases:
2.4(0.911), 2.6(0.908), 2.7(0.356), 3.0(0.902)
Known Fixed Releases:
3.0.0.458-Patch3, 2.7.0.356-Patch4, 2.6.0.156-Patch9, 2.4.0.357-Patch14

 

Hope this helps !!!

0 Helpful

Go to solution
shrijan
Level 1
Level 1
In response to Marcelo Morais

‎09-10-2021 12:51 AM

@Marcelo Morais 

 

Thank you for the info.

 

I am not sure if this is true but just came to mind and sharing. Kindly advice if this is how it works or this is just co-incidence?

 

1) Users From Active Directory FOR BYOD (Mobile Phone).
          These AD users are not from local group database. So, the 1 session per user is working here. All the AD users are not inherited from any group let say.

2) Users are inherited from local group.

          So that's why if i set 10 sessions inside the group, same or single username can be used upto 10 different sessions.

 

So, session per user and session per group are working separately. is this true?

 

Shrijan

0 Helpful

Go to solution
Marcelo Morais
VIP
VIP
In response to shrijan

‎09-10-2021 04:18 AM

Hi @shrijan ,

 what you said, makes sense to me.

 Please take a look at: Configure Maximum Concurrent User Sessions on ISE 2.2., search for Scenarios (Maximum Sessions per User and Maximum Session for Group).

"... ISE version 2.2 can detect and build enforcement policy based on the concurrent session of:

User Identity - limit number of sessions per specific user
Identity Group - limit number of sessions per specific group
User in a Group - limit number of sessions per user, that belongs to specific group..."

For User Identity:

"... To enable the feature (Maximum Sessions per User), uncheck Unlimited session per user checkbox, which is checked by default. In the Maximum per User Sessions field configure number of sessions specific user can have on each PSN...

Users from External Identity Sources (for example Active Directory) are affected by this configuration as well..."

For Identity Group:

"...This configuration (Maximum Session for Group) enforces 2 sessions as a maximum for Internal Identity Group GroupTest2: You are able to configure the enforcement per Group only for the Internal Groups..."

For User in a Group:

"... Corner Cases

If User Maximum Sessions is configured, both features work independently. In this example, User Max Sessions is set to 1 and Maximum Session for Group is set to 2... If the User is member of more than one Group at the same time and the Max Sessions for Group is configured for them, once connected ISE increases the counter of Max Session for Group cache for every group the user belongs to..."

 

Hope this helps !!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents