Max concurrent login limitation stopped working for dot1x authen

zheka_pefti · ‎08-24-2012

Hello folks,

I ran into an issue while deploying integrating WLC with ISE and changing the authentication to dot1x.

Previously when it was set to WebAuth this limitation somehow worked even though it was very unhelpful because the user was getting an error message that didn't specify the reason why he was denied. See attached file that shows how it was setup in WLC

Now when we changed it to dot1x and all authentications are done on ISE side this limitation doesn't work anymore.

Needless to say that current ISE software doesn't support it as well. Cisco only promises to have it addressed in the future release 1.2

Any ideas or suggestions if I still can use this rudimentory limitation with dot1x ?

Scott Fella · ‎08-24-2012

Well that feature works with ACS 5.x, so it must be a limitation with ISE.

Sent from Cisco Technical Support iPad App

-Scott
*** Please rate helpful posts ***

Amjad Abdullah · ‎08-24-2012

Hello,

In your screenshot there is a foot note says:

"When using 802.1X security make sure max-login-ignore-identity-response is disabled.".

You need to disable max-loign-itnore-identity-response in order for the limitation to work.

You can disable it from GUI:

Security-> Local EAP->General.

You can disable it from CLI:

config advanced eap max-login-ignore-identity-response disable.

I can find this is enabled by default with all my wireless controllers. If you disable it that should get your limitation functionality to work.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Max concurrent login limitation stopped working for dot1x authentications on WLC