We have a situation, where we want users to have no more than 2 active sessions. For e.g. when user connects the first device with AD credentials it should authenticate and authorize based on policy, same should happen when the same user connects second device with same credentials. However when user connects the 3rd device with same credentials, I want to create a condition, where ISE can check that user already have 2 active sessions and as authorization I can simply deny.
Has anyone done anything like this, any thoughts will be appreciated.
I understand we can achieve something similar by leveraging device registration portal and provisioning and limiting the device registration per user to 2, unfortunately we have license limit to do so and management is not ready to invest yet. So I am trying to think of an alternative here with base license only.
Thank you