Prohibit user to connect the second endpoint

yongwli · ‎03-25-2019

Hi Team,

My customer has a request, they only allow one endpoint connected per user, and the user only can use the endpoint first login successfully. Can we make it?

Max session cannot restrict a user to change endpoint.

Thanks

DL

hslai · ‎03-25-2019

In case of using ISE Guest Services, you may the following:

In the guest portal > Portal Behavior and Flow Settings > Guest Device Registration Settings, check [x] Automatically register guest device. Then, adjust the max number of devices in the Guest Type

Arne Bier · ‎03-25-2019

In case you're not talking about Guest flow, you can also restrict the max number of sessions per user for non-guest flows

I have never used this. And it's also per-PSN (i.e. the PSN controls the limit, and if the user ends up on another PSN then there is a new limit applied etc.) - but still, it might fit your use case.

yongwli · ‎03-28-2019

Hi Arne,

Thank you. If a user logoff and logged in with another endpoint, it still can log in the network, IT admin would only allow a user to login network with the endpoint hardware first login. They hope ISE to remember the MAC information and only allow this MAC in the future. Why do they need this, it's because they are using LDAP(no machine auth) and don't have a table to register every company's laptop MAC address, so they expect to simply lock first MAC address of each user.

DL