Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4139
Views
1
Helpful
2
Replies

cisco ise guest portal timeout

Go to solution
Richard Lucht
Level 1
Level 1

‎05-31-2018 07:30 AM

Hello,

I am working on a quest portal to replace the captive portal on our WLAN controllers.  One question that came up is that what can we do about unregistered users who are just walking by and happen to associate with SSID we setup for the guest portal but we want to kick them off after a certain amount of time.  We don't want our DHCP space taken up by those who are registered users.  Should this be part of the redirect authorization policy or on the controller?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎05-31-2018 08:07 AM

Can you please explain further what the problem is and how you want to work.

If somebody is automatically connecting to an open network then the only way to stop it is to secure that network, we recommend using WPAPSK to accomplish this.

the wireless controller User idle time out is 180 seconds this means when they leave the network the session will only stay pinned up for a max of three minutes.

if you’re worried about DHCP IP addresses being exhausted and don’t want to lock down the SSID then you can adjust your lease time

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎05-31-2018 08:07 AM

Can you please explain further what the problem is and how you want to work.

If somebody is automatically connecting to an open network then the only way to stop it is to secure that network, we recommend using WPAPSK to accomplish this.

the wireless controller User idle time out is 180 seconds this means when they leave the network the session will only stay pinned up for a max of three minutes.

if you’re worried about DHCP IP addresses being exhausted and don’t want to lock down the SSID then you can adjust your lease time

0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎05-31-2018 09:27 PM

This is handled by two things

  1. Relatively short DHCP lease times.  Offer short lease times in your DHCP leases to prevent IP address exhaustion.  Anyone who connects to an open SSID will be given an IP address - there is no preventing that.  But you can make those leases 1 hour long and then the client will renew their lease every 30 minutes.  Just as an extreme example.  Passers by would then only "hog" an IP address for max 1 hour.
  2. Set your WLC session-timeout on the WLAN config to be short - e.g. 900 seconds.  This is enough time for a user to be redirected and enter his credentials if he is consciously trying to log into your portal.  Then, if the portal auth was successful, then return a custom, longer Session-Timeout from ISE in the Result Profile. e.g. 8 hours or whatever.  Those walk-by users would only live on your WLC session table for max 900 seconds and then disappear.

I have not had much luck with Cisco WLC's and Session-Idle-Timeout - but the Session-Timeout is an absolute value (in seconds) and this works like a charm


Customers Also Viewed These Support Documents