Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
823
Views
0
Helpful
1
Replies

Authenticate and create policies based on last ISE authentication timestamp

CB90021204
Level 1
Level 1

‎04-07-2020 09:08 PM

Hello,

 

Not sure if this is possible. I'd like to create a ISE policy based on the last successful ISE authentication. Something like: If device has authenticated within the last 30 days send them to a full access VLAN, if not send them to limited access VLAN.

 

Has anyone done this before or know if its possible with base licenses? Could this be achieved with Plus licenses.

 

Thanks,

0 Helpful
1 Reply 1

thomas
Cisco Employee
Cisco Employee

‎04-09-2020 10:27 AM

In short, no. There is not a construct for using historical RADIUS Accounting information in ISE authorization rules.

If you were to allow MAB as a default for Guests or other non-authenticating devices - even to a Quarantine/Unknown state - that still qualifies as a successful authentication event so technically you would potentially allow anything that plugged in a second time full access to your network. Not a good policy.

What is your real problem or desired security policy that you want? Please be specific.

0 Helpful
Customers Also Viewed These Support Documents