Security

Application logs indicate 'Maximum session limit has been reached'. Access request rejected.  I have the session limit maxed out to 1024.  How do I get new users logged in?

I cleared all active sessions and this resolved the issue.  However, can this be automatically purged without manual intervention?

Do you have RADIUS accounting configured on your controller (or whatever device you use for access)?  If not, the sessions won't be removed when users leave the network.

this is what I have on the controller

 #show running-config | include radius
Building Configuration...
ip radius source-interface vlan 632
aaa authentication-server radius "amigopod"
aaa authentication-server radius "CK-Radius"
aaa authentication-server radius "MV-Radius"
radius-accounting "Amigopod"
radius-accounting "Employee_Auth_Servers"

looks like I have RADIUS Accounting pointing to the Amigopod server

Indeed it does.  Do you have an idle timeout set?  You can check "show aaa timer" and see.

If so, I am not sure what is going on.

If not, that might be why clients are forever sticking in Amigopod.

Do you see a very large number of clients on the controller when doing "show user"?

# show aaa timer

User idle timeout = 300 seconds
Auth Server dead time = 10 minutes
Logon user lifetime = 5 minutes

I have about 8 users connected to the Guest network right now because i booted everyone off to get a new guest connected.  Is there a RADIUS Acct setting on the Amigopod server?

RADIUS accounting should be listening by default.  I don't think there is a way to disable it.

Do you see about the same number of users in Amigopod and on the controller?  If you connect and disconnect from your guest network, do you see yourself come and go from Amigopod?

This may be something that TAC could better assist with since they can start a web meeting and see the issue first hand.

well, our environment consists of IAP acting as Virtual Controllers and we also have physical controllers.  So to compare if I see on both would be cumbersome.  I do notice a ton of active sessions on Amigopod from the same MAC address (username column) coming from 1 of the IAP.  And this IAP just happens to be leaving the cluster daily until i do a "reboot all" from the VC.

It sounds like that IAP is doing NAT, so all guest sessions would appear to be the same MAC.  If the AP is crashing or getting rebooted, it is probably not cleaning up the sessions.  That could be the root of the problem.

would disabling Accounting on that IAP solve the issue of too many active sessions?

I think that would just make it worse.  Acct is used to add/remove sessions from the table, so if you dont have acct, you dont have control of the sessions.