- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-19-2022 12:34 PM
Hi cisco community, I have tested this feature "Max Sessions" I have understood that this option limits the ssh or telnet connection per user, however I have created a python script using netmiko and have seen more sessions successfully established.
Could you explain this feature? I want to block ssh/telnet max sessions per user and set limit.
ISE: 2.7
Solved! Go to Solution.
- Labels:
-
Identity Services Engine (ISE)
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-19-2022 12:38 PM - edited 10-19-2022 12:41 PM
That is for RADIUS sessions. Not for SSH connections to ISE.
https://community.cisco.com/t5/network-access-control/ise-v3-0-max-concurent-sessions/td-p/4413212
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-19-2022 04:23 PM - edited 10-19-2022 04:24 PM
Thanks for your support, I found a bug in my version (ISE 2.7 patch 2), I will install upgrade and tell you later.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-19-2022 12:38 PM - edited 10-19-2022 12:41 PM
That is for RADIUS sessions. Not for SSH connections to ISE.
https://community.cisco.com/t5/network-access-control/ise-v3-0-max-concurent-sessions/td-p/4413212
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-19-2022 12:55 PM
Thanks ahollifield, I want to block ssh/telnet sessions per user when a limit set by me is reached. Can I do this from the ISE server?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-19-2022 01:01 PM
So do you mean for TACACS+ authentications to network devices (switch, router, etc.) or for SSH to ISE itself?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-19-2022 01:12 PM
TACACS+ authentications to network devices on network devices, I want to set a limit for ssh or telnet connections to the devices.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-19-2022 01:15 PM - edited 10-19-2022 01:16 PM
This should work for TACACS+ but I've never personally tested it. What is the authentication source? AD? Local? Something else? This also requires Accounting to be properly configured so ISE can monitor the active sessions accurately.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-19-2022 01:33 PM
I am using Local authentication source, but i changed value and it don't block sessions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-19-2022 01:43 PM
Do you have TACACS+ accounting configured?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-19-2022 04:23 PM - edited 10-19-2022 04:24 PM
Thanks for your support, I found a bug in my version (ISE 2.7 patch 2), I will install upgrade and tell you later.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-20-2022 07:56 AM
Hi @croonos23 ,
I would like to add just one thing ... please take a look at: Configure Maximum Concurrent User Sessions on ISE 2.2, special attention to:
" ... Enforcement and count of a Concurrent Session is unique and managed by each PSN. There is no synchronization between the PSNs in terms of session count. Concurrent Session feature is implemented in the runtime process and data is stored only in memory. In case of PSN restart, MaxSessions counters reset... "
Hope this helps !!!
