cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

79
Views
0
Helpful
1
Replies
Highlighted
Participant

Guest hotspot restrict 1hr then allow access again

I was going over the following two communities guide:

https://communities.cisco.com/message/276046#276046

https://community.cisco.com/t5/security-documents/guest-hotspot-with-max-2-hours-network-access-per-day/tac-p/3891027#M6430

I have some questions:

1. Is there a specific reason to use radius session timeout of 900 seconds while user is being permitted? I mean I could even use 600 seconds or less to block closer to 1hr mark right?

2. Is there a way to limit user access to 1 hr, but then allow them to be redirected to hotspot so they can go through aup and have 1 hr access again? So continuous 1 hr access if aup is accepted again? Similar to what is possible in self-register guest portal where the guest account can be restricted to 1hr, but allows user back to self-register portal allowing them access again.

3. For point 2, is there a way to do this without purging the endpoint - since shortest purge duration is 1 day and hourly purge option is not available? 

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Guest hotspot restrict 1hr then allow access again


@mmalwatte wrote:

I was going over the following two communities guide:

https://communities.cisco.com/message/276046#276046

https://community.cisco.com/t5/security-documents/guest-hotspot-with-max-2-hours-network-access-per-day/tac-p/3891027#M6430

I have some questions:

1. Is there a specific reason to use radius session timeout of 900 seconds while user is being permitted? I mean I could even use 600 seconds or less to block closer to 1hr mark right?

JAK > would be good to separate and explain in more details

2. Is there a way to limit user access to 1 hr, but then allow them to be redirected to hotspot so they can go through aup and have 1 hr access again? So continuous 1 hr access if aup is accepted again? Similar to what is possible in self-register guest portal where the guest account can be restricted to 1hr, but allows user back to self-register portal allowing them access again.

 

JAK > Why not just redirect using LastAUPAcceptance every hour to the AUP?

https://www.google.com/search?q=lastaupacceptance+ise+2.4&oq=lastaupacceptance+ise+2.4&aqs=chrome..69i57.4376j0j7&sourceid=chrome&ie=UTF-8

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_new_chapter_0100010.html#task_B11E9389EBF24FFF98ED40C1501F6E8B

 

3. For point 2, is there a way to do this without purging the endpoint - since shortest purge duration is 1 day and hourly purge option is not available? 


 

1 REPLY 1
Cisco Employee

Re: Guest hotspot restrict 1hr then allow access again


@mmalwatte wrote:

I was going over the following two communities guide:

https://communities.cisco.com/message/276046#276046

https://community.cisco.com/t5/security-documents/guest-hotspot-with-max-2-hours-network-access-per-day/tac-p/3891027#M6430

I have some questions:

1. Is there a specific reason to use radius session timeout of 900 seconds while user is being permitted? I mean I could even use 600 seconds or less to block closer to 1hr mark right?

JAK > would be good to separate and explain in more details

2. Is there a way to limit user access to 1 hr, but then allow them to be redirected to hotspot so they can go through aup and have 1 hr access again? So continuous 1 hr access if aup is accepted again? Similar to what is possible in self-register guest portal where the guest account can be restricted to 1hr, but allows user back to self-register portal allowing them access again.

 

JAK > Why not just redirect using LastAUPAcceptance every hour to the AUP?

https://www.google.com/search?q=lastaupacceptance+ise+2.4&oq=lastaupacceptance+ise+2.4&aqs=chrome..69i57.4376j0j7&sourceid=chrome&ie=UTF-8

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_new_chapter_0100010.html#task_B11E9389EBF24FFF98ED40C1501F6E8B

 

3. For point 2, is there a way to do this without purging the endpoint - since shortest purge duration is 1 day and hourly purge option is not available?