Solved: Guest hotspot restrict 1hr then allow access again

Madura Malwatte · ‎07-16-2019

I was going over the following two communities guide:

https://communities.cisco.com/message/276046#276046

https://community.cisco.com/t5/security-documents/guest-hotspot-with-max-2-hours-network-access-per-day/tac-p/3891027#M6430

I have some questions:

1. Is there a specific reason to use radius session timeout of 900 seconds while user is being permitted? I mean I could even use 600 seconds or less to block closer to 1hr mark right?

2. Is there a way to limit user access to 1 hr, but then allow them to be redirected to hotspot so they can go through aup and have 1 hr access again? So continuous 1 hr access if aup is accepted again? Similar to what is possible in self-register guest portal where the guest account can be restricted to 1hr, but allows user back to self-register portal allowing them access again.

3. For point 2, is there a way to do this without purging the endpoint - since shortest purge duration is 1 day and hourly purge option is not available?

Jason Kunst · ‎07-16-2019

@Madura Malwatte wrote:

I was going over the following two communities guide:

https://communities.cisco.com/message/276046#276046

https://community.cisco.com/t5/security-documents/guest-hotspot-with-max-2-hours-network-access-per-day/tac-p/3891027#M6430

I have some questions:

1. Is there a specific reason to use radius session timeout of 900 seconds while user is being permitted? I mean I could even use 600 seconds or less to block closer to 1hr mark right?

JAK > would be good to separate and explain in more details

2. Is there a way to limit user access to 1 hr, but then allow them to be redirected to hotspot so they can go through aup and have 1 hr access again? So continuous 1 hr access if aup is accepted again? Similar to what is possible in self-register guest portal where the guest account can be restricted to 1hr, but allows user back to self-register portal allowing them access again.

JAK > Why not just redirect using LastAUPAcceptance every hour to the AUP?

https://www.google.com/search?q=lastaupacceptance+ise+2.4&oq=lastaupacceptance+ise+2.4&aqs=chrome..69i57.4376j0j7&sourceid=chrome&ie=UTF-8

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_new_chapter_0100010.html#task_B11E9389EBF24FFF98ED40C1501F6E8B

3. For point 2, is there a way to do this without purging the endpoint - since shortest purge duration is 1 day and hourly purge option is not available?

View solution in original post

Jason Kunst · ‎07-16-2019

@Madura Malwatte wrote:

I was going over the following two communities guide:

https://communities.cisco.com/message/276046#276046

https://community.cisco.com/t5/security-documents/guest-hotspot-with-max-2-hours-network-access-per-day/tac-p/3891027#M6430

I have some questions:

1. Is there a specific reason to use radius session timeout of 900 seconds while user is being permitted? I mean I could even use 600 seconds or less to block closer to 1hr mark right?

JAK > would be good to separate and explain in more details

2. Is there a way to limit user access to 1 hr, but then allow them to be redirected to hotspot so they can go through aup and have 1 hr access again? So continuous 1 hr access if aup is accepted again? Similar to what is possible in self-register guest portal where the guest account can be restricted to 1hr, but allows user back to self-register portal allowing them access again.

JAK > Why not just redirect using LastAUPAcceptance every hour to the AUP?

https://www.google.com/search?q=lastaupacceptance+ise+2.4&oq=lastaupacceptance+ise+2.4&aqs=chrome..69i57.4376j0j7&sourceid=chrome&ie=UTF-8

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_new_chapter_0100010.html#task_B11E9389EBF24FFF98ED40C1501F6E8B

3. For point 2, is there a way to do this without purging the endpoint - since shortest purge duration is 1 day and hourly purge option is not available?