cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

153
Views
0
Helpful
1
Replies
Highlighted
Beginner

Authenticate and create policies based on last ISE authentication timestamp

Hello,

 

Not sure if this is possible. I'd like to create a ISE policy based on the last successful ISE authentication. Something like: If device has authenticated within the last 30 days send them to a full access VLAN, if not send them to limited access VLAN.

 

Has anyone done this before or know if its possible with base licenses? Could this be achieved with Plus licenses.

 

Thanks,

1 REPLY 1
Highlighted
Cisco Employee

Re: Authenticate and create policies based on last ISE authentication timestamp

In short, no. There is not a construct for using historical RADIUS Accounting information in ISE authorization rules.

If you were to allow MAB as a default for Guests or other non-authenticating devices - even to a Quarantine/Unknown state - that still qualifies as a successful authentication event so technically you would potentially allow anything that plugged in a second time full access to your network. Not a good policy.

What is your real problem or desired security policy that you want? Please be specific.