cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

246
Views
0
Helpful
4
Replies
Highlighted
Cisco Employee

Sessions Timeout - Quota Policy Enforcement

A customer wants to know if we can configure a WLAN environments with different sessions timeout per user.

A WLAN environment where some users could enter with restricted time, such as Public WLAN where some users are registered with some session timeout and some guest are restricted to specific session timeout (10 or 15 min).

 

 

- Is is possible to configure session timeouts per users (AAA override, ISE or WLC) ?

- Can ISE send a CoA to kill a user session and force reathentication ?

 

Any suggestion ?

 

Thanks in advance.

 

Guillermo.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Sessions Timeout - Quota Policy Enforcement

Yes using radius AVP session timeout you can disconnect a bucket of users to specific timeout values

Doing this on specific usernames wouldn’t be recommended as this would be difficult to manage

For guests you would likely utilize setting specific users or guest types when creating their accounts to expire after certain periods

Examples using google search
https://www.google.com/search?q=ise%20radius%20timeout

There is no tool in ise as quota management per says but you can also return values in radius of QOS TOS for Cisco wireless controllers


https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/81831-qos-wlc-lap.html

4 REPLIES 4
Cisco Employee

Re: Sessions Timeout - Quota Policy Enforcement

Yes using radius AVP session timeout you can disconnect a bucket of users to specific timeout values

Doing this on specific usernames wouldn’t be recommended as this would be difficult to manage

For guests you would likely utilize setting specific users or guest types when creating their accounts to expire after certain periods

Examples using google search
https://www.google.com/search?q=ise%20radius%20timeout

There is no tool in ise as quota management per says but you can also return values in radius of QOS TOS for Cisco wireless controllers


https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/81831-qos-wlc-lap.html

Cisco Employee

Re: Sessions Timeout - Quota Policy Enforcement

Thanks a lot Jason for your answer,

 

The question about "Quota Policy Enforcement" is because, in case of need, can the ISE (RADIUS) send a CoA to de-auth a user and force a re-authentication?

As I understood is not possible, but I heard that in SEVT was presented the feature "Quote Policy Enforcement" where, through CoA, RADIUS can change end user devices behavior based on prepaid external billing services, and I guess the same could be applied to timeouts.

 

Any comment ?

 

Cisco Employee

Re: Sessions Timeout - Quota Policy Enforcement

Yes ise can send terminate or reauth
Cisco Employee

Re: Sessions Timeout - Quota Policy Enforcement

Thanks Jason,  is there any document with a configuration example for that ?