In a typical enterprise BYOD (Bring Your Own Device) or guest wireless implementation using Cisco Identity Services Engine (ISE), policies are configured to control network access. While the self-registration portal allows a user to register multiple personal devices, a common security and resource management policy is to limit the number of concurrent active sessions. This means that although an employee might have four devices registered in the "My Devices Portal," the authorization policy can be set to permit only one active network connection at a time. When the user connects a second device, ISE can issue a Change of Authorization (CoA) to terminate the session of the first device, thus enforcing the "one-at-a-time" access rule.

A. The last device is removed and the newly added device is updated as active device.

This describes a device replacement policy for registration, not a policy for managing concurrent active network connections. Standard ISE behavior is to deny, not replace, registrations beyond the configured limit.

C. All devices are allowed on the network simultaneously.

This is only true if no limiting policies are configured. In a properly designed enterprise network, limits on guest/BYOD devices are standard practice for security and resource management.

D. Purge time dictates how long a device is registered to the portal.

The endpoint purge policy concerns the removal of inactive device records from the ISE database after a set period; it does not control the number of active simultaneous connections.

1. Cisco Identity Services Engine Administrator Guide

Release 3.1

"Session Management" Chapter: This chapter details how ISE tracks network sessions. It explains that authorization policies can be configured to act based on active session counts for a user. The mechanism to enforce a single session is to configure an authorization profile to send a Re-authentication or Port Bounce/Shutdown CoA request to the network access device (NAD) hosting the older session when a new session is detected for the same user. This directly results in the outcome described in option B.

2. Cisco Identity Services Engine Administrator Guide

Release 3.1

"Configure My Devices Portal Settings" Section: This section describes the "Maximum devices per user" setting. The documentation states

"When this limit is reached

the user cannot register any more devices." This confirms that the default behavior for exceeding a registration limit is denial

not replacement (as in option A) or allowing only one active session. This highlights the distinction between registration limits and session limits.

3. Cisco Identity Services Engine Administrator Guide

Release 3.1

"Endpoint Purge Policy" Section: This section defines the purge policy as a mechanism to "delete endpoints that are inactive for a specified number of days from the ISE database." This confirms that purging is related to the lifecycle of inactive endpoints

not the control of concurrent active sessions (as in option D).