Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
723
Views
0
Helpful
4
Replies

Sessions Timeout - Quota Policy Enforcement

Go to solution
gugonza2
Cisco Employee
Cisco Employee

‎01-24-2019 03:37 AM

A customer wants to know if we can configure a WLAN environments with different sessions timeout per user.

A WLAN environment where some users could enter with restricted time, such as Public WLAN where some users are registered with some session timeout and some guest are restricted to specific session timeout (10 or 15 min).

 

 

- Is is possible to configure session timeouts per users (AAA override, ISE or WLC) ?

- Can ISE send a CoA to kill a user session and force reathentication ?

 

Any suggestion ?

 

Thanks in advance.

 

Guillermo.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎01-24-2019 03:45 AM

Yes using radius AVP session timeout you can disconnect a bucket of users to specific timeout values

Doing this on specific usernames wouldn’t be recommended as this would be difficult to manage

For guests you would likely utilize setting specific users or guest types when creating their accounts to expire after certain periods

Examples using google search
https://www.google.com/search?q=ise%20radius%20timeout

There is no tool in ise as quota management per says but you can also return values in radius of QOS TOS for Cisco wireless controllers


https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/81831-qos-wlc-lap.html

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎01-24-2019 03:45 AM

Yes using radius AVP session timeout you can disconnect a bucket of users to specific timeout values

Doing this on specific usernames wouldn’t be recommended as this would be difficult to manage

For guests you would likely utilize setting specific users or guest types when creating their accounts to expire after certain periods

Examples using google search
https://www.google.com/search?q=ise%20radius%20timeout

There is no tool in ise as quota management per says but you can also return values in radius of QOS TOS for Cisco wireless controllers


https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/81831-qos-wlc-lap.html

0 Helpful

Go to solution
gugonza2
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎01-24-2019 05:56 AM

Thanks a lot Jason for your answer,

 

The question about "Quota Policy Enforcement" is because, in case of need, can the ISE (RADIUS) send a CoA to de-auth a user and force a re-authentication?

As I understood is not possible, but I heard that in SEVT was presented the feature "Quote Policy Enforcement" where, through CoA, RADIUS can change end user devices behavior based on prepaid external billing services, and I guess the same could be applied to timeouts.

 

Any comment ?

 

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to gugonza2

‎01-24-2019 06:39 AM

Yes ise can send terminate or reauth
0 Helpful

Go to solution
gugonza2
Cisco Employee
Cisco Employee
In response to gugonza2

‎01-24-2019 06:49 AM

Thanks Jason,  is there any document with a configuration example for that ?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents