This configuration enforces 2 sessions as a maximum for internal identity group GroupTest2: You are able to configure the enforcment per Group only for the Internal Groups. Navigate to Administration > System>Settings > Max Sessions > Group: It is necessary to receive the Radius Accounting for Max Session to work properly, status Authenticated (Session permitted, but no accounting) is not taken into consideration during session count: In this case, both of the sessions have status Started, which indicates Accounting Start arrived on ISE for the session. In order to check the live sessions, navigate to Operations > Radius > Live Sessions: Session is not permitted, even though in the Radius live log you can see that it hits the correct Authorization Profile. Once third connection with another device and same credentials is initiated, Bob receives PermitAccess, but Access-Reject is sent to authenticator: As per the detailed Radius Live log, shown in the image:Ģ2081 Max sessions policy passed step provides information that Maximum Concurrent Session check is successful. User Maximum Sessions is configured with value 2, which means that any session for same user beyond this number is not permitted (per PSN).Īs shown in the image, user Bob connects with Android Phone and Windows machine with the same credentials:īoth sessions are permitted because maximum sessions limit is not exceeded. Exampleīob is the username of an account from the Active Directory Domain which is connected and joined to ISE server. Users from External Identity Sources (for example Active Directory) are affected by this configuration as well. In the Maximum per user Sessions field configure number of sessions specific user can have on each PSN. To enable the feature, uncheck Unlimited session per user checkbox, which is checked by default. Navigate to Administration > System > Settings > Max Sessions, as shown in the image: User session count is case insensitive with regard to usernames and independent of Network Access Device used (as long as you use the same PSN node). In case of PSN restart, MaxSessions counters reset. Concurrent session feature is implemented in the runtime process and data is stored only in memory. There is no synchronization between the PSNs in terms of session count. User in a Group - limit number of sessions per user, that belongs to specific groupĮnforcement and count of a concurrent session is unique and managed by each Policy Service Node (PSN).Identity Group - limit number of sessions per specific group.User Identity - limit number of sessions per specific user.ISE version 2.2 can detect and build enforcement policy based on the concurrent session of: If your network is live, make sure that you understand the potential impact of any command. All of the devices used in this document started with a cleared (default) configuration. The information in this document was created from the devices in a specific lab environment. Cisco Identity Service Engine version 2.2.The information in this document is based on these software and hardware versions: 802.1x configuration on Wireless LAN Controller (WLC).PrerequisitesĬisco recommends that you have knowledge of these topics: This document is for RADIUS sessions, but it could be used as well for the TACACS sessions. Maximum Sessions feature provides a way to control and enforce live sessions per user or per identity group. This document describes how to configure Maximum Sessions feature introduced in the Identity Services Engine (ISE) 2.2.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |