@Jason Kunst - is there a more technical explanation about what factors cause GuestFlow to be set to TRUE?  For example, a user could successfully log into a portal, but then other conditions could throw a spanner in the the works, causing the "session" to be in limbo

• ISE sends CoA but the NAS doesn't get the CoA (firewall etc)
• ISE sends CoA, the NAS gets it, but the CoA ACK doesn't make it back to ISE (asymmetric routing)
• ISE sends CoA, NAS sends ACK and ISE receives it.  But NAS does not send Accounting Start - does that have an impact on the Session management?

regards

Is there even a reason to use guest flow any more?  I haven't used that since 1.x and that was the only way to catch the reauthentication.  Now that guest types and hot spot portals are mapped to identity groups that is all I use now.

I thought that Guest Flow is used only if you're not using the RememberMe feature (i.e. relying on the MAC address being in the Endpoint Identity Group).  It was my understanding that the Guest Flow is a state flag that is set when certain conditions are true (e.g. CoA went through ok, and the Session Accounting is flowing).  If those conditions are not true (e.g. accounting stop received) then it signals that the session is over, and then guest sees the portal again.  That is actually quite a useful thing in my opinion. I may not want to perform MAB re-authentication, because purging MAC addresses is such a pain in ISE (setting a time limit of when a MAC address is purged is not possible).  Sure, we can purge at 3AM or whatever, but that is not granular enough.  I like the idea of maintaining Session state by means of Radius Accounting.

In smaller deployments where there is only one WLC, then setting a Radius Session-Timeout to 8 hours might seem reasonable for an average use case.  It means that users can use the internet "for a day".

I don't use Idle-Timeout because that will surely kill a session in next to no time.  If a user has authenticated then give them a session for x hours and thereafter terminate the session.

The other benefit of not using RememberMe is that the Radius Accounting will always contain the guest identity in the User-Name (which is not always the case with MAB re-auth ... until Cisco get around to fixing that :-)  - therefore, if you need reliable Accounting, then you cannot use RememberMe.

Thank you everyone for the replies.  It's very much appreciated.

The only reason I'm matching on Guest flow is I am playing around with this in a lab, old ISE v2.0 though, and the first document I found mentioned the Guest Flow method.

I like to get a simple method working then make changes from there.  So I create a rule based on matching Guest flow and point it to a copy of the self registration portal.  Once I'm sure that works I copy the rule and change some parameters to see how that plays out.  I know I can easily revert to a working solution by enabling the original Guest Flow rule.

Is there a preferred method to do this now other than matching on Guest flow?

Thanks again, Stuart.