topic Re: ISE Guest re authentication in Network Access Control

ISE Guest re authentication

Leonardo Pena Aristizabal — Fri, 21 Feb 2020 18:59:13 GMT

Hello Community,

I have a customer that wants guest users expire be blocked for some time (one day) after that time they get authorize to reauthenticate again through the captive portal.

It’s possible?

Thanks a lot

Re: ISE Guest re authentication

Francesco Molino — Sun, 24 Jun 2018 01:12:06 GMT

Never had such request before but I'm quite sure this isn't possible. I mean an account is valid for x days and during this x days, the guest user can authenticate without issues.

There's no option saying block the user and then re-authenticate him again.

Can you check maybe on api if there's something to activate again expired users. If yes, you will need to have them for 1 day and execute a scheduled script that will allow them again 2 days after.

Re: ISE Guest re authentication

Leonardo Pena Aristizabal — Sun, 24 Jun 2018 13:55:16 GMT

Ok, so if a guest wants to gain access they just re authenticate and when expires again reauthenticate and expires and basically they just can repeat the same process?

That’s what my customer don’t want?

Thanks for your time.

Re: ISE Guest re authentication

Francesco Molino — Sun, 24 Jun 2018 22:45:58 GMT

Ok what your customer wants is not possible in ISE, i mean i don't see any workaround making it working.

Usually you allow guest for x days and if they come back they'll go through the same process again. And more than that if you granted them access for 2 days, they can connect as much as they want.

Maybe there's another solution but can you detail the real use case?

Re: ISE Guest re authentication

ajc — Mon, 25 Jun 2018 19:18:07 GMT

hay que aclarar algo, la cuenta guest dura un periodo especifico de dias luego de lo cual expira y NO se puede reusar porque ya no esta vigente. PERO esa cuenta se puede "reinstate" manualmente por el administrador del ISE. Tendrias que investigar si se puede crear un script que busque por ese usuario en la base de datos y reinstale/reactive esa cuenta de invitado que estaba expirada luego de un numero X de dias a tu criterio SINO, hacerlo a mano como te senale antes.

Re: ISE Guest re authentication

Leonardo Pena Aristizabal — Mon, 25 Jun 2018 19:20:40 GMT

Hola

Si claro tienes toda la razón el tema es que yo monté un Script sobre un portal auto register para que funcionara como Hot Spot pero solicitando datos. (Nombre y correo)

Entonces la idea es que esos usuarios que se autoregistran no lo hagan constantemente, si no que duren bloqueados cierto tiempo.

Muchas gracias por tu tiempo.

Re: ISE Guest re authentication

ajc — Mon, 25 Jun 2018 19:25:54 GMT

No le encuentro sentido a que permitas un autoregistro y que no puedan usar la cuenta de inmediato.

Re: ISE Guest re authentication

Leonardo Pena Aristizabal — Mon, 25 Jun 2018 19:30:19 GMT

No, mira el tema es así:

1. El usuario usa el portal, se registra e inmediatamente brinda acceso a internet por una hora.

2. Al terminarse la hora la cuenta expira y el usuario ya no tiene acceso.

3. Nuevamente el usuario va a intentar conectarse, nuevamente se despliega el portal cautivo donde el usuario nuevamente hace el proceso con otro nombre y le da acceso a internet.

Lo que quiere el cliente es que el paso 3 solo sea permitido un día después, es decir que el mismo usuario (PC-Celular) no pueda reconectarse nuevamente.

Gracias

Re: ISE Guest re authentication

Francesco Molino — Mon, 25 Jun 2018 19:31:16 GMT

I'm sorry to disturb but if the post starts in English, it would be appreciated to continue in the same language, then everybody can help and understand what's going on.

Re: ISE Guest re authentication

Leonardo Pena Aristizabal — Mon, 25 Jun 2018 19:40:47 GMT

Yes, I agree.

Sorry about that.

I was explaining the process that my customer want's to blocked or not permit.

The flow is something like this:

1. Users connect to the SSID with CWA (Auto register with HTML mod for Hot Spot) fill the form a get access to Internet for one hour.

2. After that hour the users get expired and finally kick out.

3. The users try to reconnect and again the CWA is displayed, then the user fill again the form with another name and get access to Internet for another hour.

What my customer wants is to block for certain time that user (PC-Smartphone) to get reconnected.

Thanks and again sorry for the language.

Re: ISE Guest re authentication

ajc — Mon, 25 Jun 2018 19:47:30 GMT

Hi Leo,

I suspect you will have to create an AUTHZ Policy using MAB.

Not sure if the following helps:

1.-Initial Guest Account creation, 1 hour use. Successful access. MAC address enduser device automatically added to an ISE Endpoint Group.

2.-1 hour later, account expired but the MAC is still in the DB

3.-User tries to create another Guest account with different username/email, hits an AUTHZ policy that says IF MAC in GuestEndpoint DB then deny access OR redirect to a warning page that could say something like: "you have reach the maximum amount of allowed wireless internet service".

4.-You purge the Guest Endpoint Group every 24 hours.

Re: ISE Guest re authentication

Leonardo Pena Aristizabal — Mon, 25 Jun 2018 19:50:36 GMT

Hi,

I already did that but for some reason after a couple of minutes I get kick off, maybe the ISE check's time to time something about policies matching or some process that make me hits that rule.

Thanks a lot for your time.

Re: ISE Guest re authentication

Francesco Molino — Mon, 25 Jun 2018 20:01:16 GMT

When you say for certain time, does this means specific hours in the day or wait x minutes/hours after its last login?

Re: ISE Guest re authentication

Leonardo Pena Aristizabal — Mon, 25 Jun 2018 20:04:12 GMT

x minutes/hours after its last login.

Thanks

Re: ISE Guest re authentication

ajc — Mon, 25 Jun 2018 20:09:45 GMT

I know there is something called ELAPSEDdays for the MAC address in the ISE Endpoint DB. Not sure if there is something called ElapsedHours, let me check

UPDATE: Only the first one. What if you try something like an AUTHZ policy that says:

If Endpoint ElapsedDays equal or greater to 1 day, then CWA

Let's see why you are getting disconnected.

Re: ISE Guest re authentication

ajc — Mon, 25 Jun 2018 20:15:32 GMT

802.1x requires an entire reauthentication (not reassociation) when roaming. Not sure if the same happens on CWA. Just to be safe, do you have session timeout enabled on that SSID?

Re: ISE Guest re authentication

Leonardo Pena Aristizabal — Mon, 25 Jun 2018 20:17:19 GMT

Yes, the default 1.800.

Thanks

Re: ISE Guest re authentication

Francesco Molino — Mon, 25 Jun 2018 20:24:51 GMT

Yes the only thing possible is in terms of days and not hours.

Re: ISE Guest re authentication

Leonardo Pena Aristizabal — Mon, 25 Jun 2018 20:36:34 GMT

So you think is possible to block a MAC/User within a day?

If yes can you please explain me how?

Thanks.

Re: ISE Guest re authentication

Francesco Molino — Mon, 25 Jun 2018 20:49:58 GMT

Nope, I was answering regarding Elapsed time expressed only in days and not hours.

For your issue, does a user has to sign a AUP? If so, you can maybe play with the condition EndPoints·LastAUPAcceptanceHours and block the user. Usually this is used to force a user re-sign AUP but in your case, you can use it to deny access with the following example:
rule 1: if EndPoints·LastAUPAcceptanceHours is less than 240 accept
rule 2: if EndPoints·LastAUPAcceptanceHours is less than 120 deny

I mean you can play with it and test if it can make working what you're trying to achieve.