Solved: Re: Guest user purge inactivity

csavas · ‎03-01-2018

Hello,

we are running guest service with ISE 2.3p2.

We have created through ISE API a set of users which is accessible/managed through sponsor portal.

Customer has requested to delete guest accounts after x days of inactivity.

I have found the option under: Work Centers > Guest Access >Settings > Guest Account Purge Policy

But the menu and the doc is not very clear to me ...

Is there a dependency with the expiration date on the guest db?
What means inactive LDAP/AD users in this case? Would the purge policy delete ldap/ad accounts?
For example; I have created a guest account with expiration day of 365 days and the guest used this account once
- My Expire portal-user information is set to 90 days - so after 90 days this account would flagged as expired and would be purged according the scheduled purge policy

Thanks in advance for your help.

Cengiz

Jason Kunst · ‎03-01-2018

We only purge accounts that have expired, there is now way to mark for inactivity using native ISE options . After the 90 days any accounts expired will be removed

If this is critical piece then either create shorter guest accounts or write your own tool using api that can query list of active guest accounts and compared to when they last used it and handle cleaning that way

The ldap/ad piece are for those accounts that live in external systems, the system will purge the shadow account used for those type users

View solution in original post

Jason Kunst · ‎03-01-2018

We only purge accounts that have expired, there is now way to mark for inactivity using native ISE options . After the 90 days any accounts expired will be removed

If this is critical piece then either create shorter guest accounts or write your own tool using api that can query list of active guest accounts and compared to when they last used it and handle cleaning that way

The ldap/ad piece are for those accounts that live in external systems, the system will purge the shadow account used for those type users

csavas · ‎03-01-2018

Thanks Jason this is useful.

Is there anything planned in future releases?

Jason Kunst · ‎03-01-2018

There is no current plan to enhance this, please reach out to our ise product managers through sales channel

afahmy · ‎03-01-2018

HI Cengiz

The purge policy does not delete the account after x days of inactivity.

The purge policy decides when to delete the account after it actually expires. The account expires when it passes the maximum allowed access time which is defined here :

toyip · ‎08-21-2018

It's my understanding that expired only guest accounts that expired can be purged which means accounts created by a sponsor or by self registration. What about open hotspot guest users which do not have a guest account, but the MAC address of the device is placed in some sort of whitelist by ISE?

howon · ‎08-21-2018

You can use endpoint purge policy for that. Unless modified from default, hotspot endpoints get added to GuestEndpoint group which you can create purge policy for:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_01101.html#concept_0776B37A2C3542189950F5DFB1961FA2

paul · ‎08-21-2018

Okay there are several things here:

Any endpoint identity group used in the guest portal process should have a purge rule setup for it based on how the customer answers the following question "How often do you want this type of guest to see the guest portal?". For my hotspot guests and daily guest types I purge every night. For my weekly guests maybe every night if the customer wants to them to sign into the portal once a day, but maybe every 7 days. For longer term guests and AD accounts used at the portal maybe once every 30 days.
There are two types of guest users and timers involved:
1. Guests users who have logged into the portal and started the clock ticking or had their time set by the sponsor. When those go inactive, they are purged out based on the inactive purge setting which defaults to running every 15 days.
2. Guest user accounts that never logged in. Sponsor created the accounts or guests self-registered but they were never approved/used. Those accounts expire in 90 days by default and then get purged on the next 15 day purge. I usually crank this down from 90 days to 14 days. No reason to keep inactive accounts out there that long imo.