Solved: Using the actual number of concurrent sessions as a condition in policies

Istvan Segyik · ‎08-29-2016

Dear Colleagues,

One of our partners is setting up a large university Wifi network in Saudi. They estimate a total of 130.000 concurrent connections in that network.

They want to use the number of 'current concurrent sessions' in their Authorization Policy. Based on the actual number of concurrent sessions ISE or ACS (they have ACS already which is to be migrated to ISE sometime in the future) they would like to assign different 'Airespace-Interface-Name' RADIUS A/V values to the user so sharing the load across different VLANs.

That would be one use case. I can imagine some others, e.g. sending back different QoS instructions per session load, etc..

The questions is: are we planning to make ISE able to use the number of actual concurrent sessions as a condition in the authorization policy in the future?

Best regards,

Istvan

Istvan Segyik

Escalations Engineer, Security

CCIE Security #47531

Global Virtual Engineering

WW Partner Organization

Cisco Systems, Inc

Email: isegyik@cisco.com

Work: +36 1 2254604

Monday - Friday, 8:30 am-17:30 pm - UTC+2 (CEST)

thomas · ‎08-29-2016

Istvan, We do get requests for limiting sessions per user. However, we do not discuss roadmaps and future features in public forums. Please send your question to the ISE Product Management team for a Cisco internal response.

View solution in original post

howon · ‎08-29-2016

Istvan, even if ISE allows one to use the concurrent session#, it would have issues long term as ISE doesn't have visibility into the actual VLAN/Subnet IP consumption. It is best handled locally by the network devices. With that in mind have you looked at VLAN select feature on the WLC? You can assign multiple dynamic interfaces where the VLANs assignment can be load balanced:

Cisco Wireless LAN Controller Configuration Guide, Release 7.4 - Configuring VLAN Select [Cisco Wireless LAN Controller…

If you believe the WLC feature does not provide adequate support and would like to pursue ISE route, then I suggest reaching out to the ISE PM team. Thanks.

Hosuk

Istvan Segyik · ‎08-29-2016

Hi Hosuk,

Thank you for your response. Actually they are planning to create Interface groups but the limit is some 40 interfaces or so on a 8510 controller and they want to have 120 VLANs and dynamic interfaces.

I was recommending AP groups and Interface group mapping per AP group or FlexConnect groups (which might apply in a FlexConnect scenario). That is a bit static but better than nothing.

Following Thomas's advice and contact the PMs.

Thank you both for your quick responses!

Istvan

howon · ‎08-29-2016

If you are using AP group, then you can configure WLC to send the AP group name as part of AuthC request to ISE. On ISE you could simply send different Interface group name depending on the AP group to make it dynamic. Not sure same works with Flex Groups so you may want to check with WLC team.

Another option is to use ISE PSN name. In other words craft policy to say if ISE PSN == ISE03 then assign interface group name XYZ.

Hosuk

Istvan Segyik · ‎08-29-2016

Hi Hosuk

Using the PSN and potentially load-balance in front of the PSN is not a bad idea at all. I will propose that to the partner.

Thank you for the tip!

Best regards,

Istvan

thomas · ‎08-29-2016

Istvan, We do get requests for limiting sessions per user. However, we do not discuss roadmaps and future features in public forums. Please send your question to the ISE Product Management team for a Cisco internal response.