Limiting user login access

lcammara · ‎12-07-2017

I know we can control the number of sessions per user

Is there a way to alert if a user attempts more then one login, while policy permits multiple logins?

This would be ISE 2.3

Maybe Stealthwatch integration

Charlie Moreton · ‎12-07-2017

This was introduced in ISE 2.3. Go to Administration > System > Settings > Max Sessions.

You can choose to enforce Maximum session based upon user, group

This applies to Internal ISE Users and groups only. Also the enforcement is the max PER POLICY NODE. Here's the page in the Admin Guide:

Cisco Identity Services Engine Administrator Guide, Release 2.3 - Manage Users and External Identity Sources [Cisco Ide…

ognyan.totev · ‎12-08-2017

Ise 2.2 support this future too.

hslai · ‎12-09-2017

There is no alarm to alert the same user logging more than once.

Like Charles and Ognyan said, ISE 2.2+ has max sessions to limit per user, which applies to external users as well, and per internal-user-group. These settings are per PSN, unlike the guest max sessions, which are per deployment.

wileong · ‎03-19-2018

Hi hslai,

Just to confirm the per user limit also apply for RADIUS authentication? (802.1x to be specified)

Thanks

Wing Churn

hslai · ‎03-19-2018

That is correct. This is mainly used for RADIUS authentications.

It's not working well for T+, due to some existing bug, such as CSCvg26552.

ruhearn · ‎08-02-2018

Is this known to work with certificates as the external user database?

Is there anything planned to make this work across multiple PSNs using the MnT or some other solution?

Thanks!

hslai · ‎08-04-2018

I have not tested it with certificates myself but am expecting it working with the username/subject based on the cert auth profile(s).

Sure, we are looking into multiple PSN. Please discuss your use cases and customer requirements with our PM.