Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
948
Views
0
Helpful
3
Replies

limit a user from creating more than one guest accounts per day from an endpoint.

Go to solution
hradhanp
Cisco Employee
Cisco Employee

‎07-12-2017 06:54 AM

We have integrated ISE and SMS gateway.


Now the customer requirement is one mobile device should only be able to generate username and password once in 24 hrs. Can we achieve the same through ISE ?


If yes then what policy we need to configure for that ?


Currently guest can create as many number of accounts as possible from that endpoint without logging in. We want to limit guest device to create username and password only once in 24 hours.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎07-12-2017 07:14 AM

Not natively, please get this info to our ISE Product Management team to add to the product feature request

You could limit them using device registration.

When they first come in they are redirected to guest portal.

After they go through the flow their MAC address is put into the Guest Endpoint group and then you base authorization off this flow.

If Guest Endpoints then permit access

That device will no longer be able to click on don’t have an account. Still doesn’t restrict then from signing up from another device if they have one.

Otherwise you would need to do some advanced scripting work and have a go between to control this. This would be complex from what I can envision.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎07-12-2017 07:14 AM

Not natively, please get this info to our ISE Product Management team to add to the product feature request

You could limit them using device registration.

When they first come in they are redirected to guest portal.

After they go through the flow their MAC address is put into the Guest Endpoint group and then you base authorization off this flow.

If Guest Endpoints then permit access

That device will no longer be able to click on don’t have an account. Still doesn’t restrict then from signing up from another device if they have one.

Otherwise you would need to do some advanced scripting work and have a go between to control this. This would be complex from what I can envision.

0 Helpful

Go to solution
hradhanp
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎07-12-2017 07:41 AM

What policy do we need to configure here. Can you share the snapshot of the policy in any.

Also can we restrict the device for 24hrs. Post that he should be able to generate new username and password.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to hradhanp

‎07-12-2017 07:47 AM

If wireless_mab and guestendpoint group then permit access

If wireless_mab then redirect to guest portal

You will need to set your endpoint purge policy for guestendpoints equal to 0 days so they clear out every morning (keep in mind this is globally at the time set per the system MNT timezone)

if you’re using a worldwide system you will need to write a script to clear the endpoints out

similar info here

https://communities.cisco.com/thread/79413?start=0&tstart=0

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents