Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


Cisco ISE 2.0 Purge/Remove Endpoint as soon as guest account expired


I want to avoid to have guest user connected to my network while their account are expired.

I know that if I disconnect the cable and connect again they will not be able to login again due to the expiration.

But I want to set some purge configurations so that they are bounce to the network if their account expired when they are connected.

Thanks for helping!

Cisco Employee

I am not aware of such option (delete endpoint from ISE when guest account expires.) I think what would work here nice here is for ISE to send CoA (Change of Authorization) when the guest account expires. I don't believe that this happens today. Perhaps someone else can chime in here. 

In the meantime I would suggest using re-auth timers that will force the guest users to re-auth periodically (let's say once a day). That way if the guest account is expired, the guest user will no longer be able to authenticate. 

I hope this helps!

Thank you for rating helpful posts!

Hi Neno,
Thank you for your answer.

Assume that the guest account expire at 9:00 AM while the user is connected and the guest didn't unplug the rj45 cable. if the re-auth periodicity is set to once a day, the guest will stay connected all the day.
I want to block that of happening.
I also think that today there is no solution to block that on a wired environment. And I want to know if someone has a way to solve the issue.
In a Wireless environment ISE sends a CoA and the WLC disconnects the guest when the account expired.
It will be nice if we could have the same behavour on the switch.

Were you able to find a solution to this? Did you reach out to Cisco?

Thank you for rating helpful posts!

No solution till now.

Unless Cisco fix this, i don't see any other way, except using the Guest API to check for account expiration, however i'm not sure how you can see what mac address/sessionid is using the account, so you can delete the endpoint and kick the user. The Guest username might be stored with the endpoint data.

Is there still no solution/workaround for this issue?

I haven't had a chance to verify, but try this...


Instead of the default out-of-the-box "Access accept" authorization profile result, define a custom one that is a copy of that one and use if for your time-limited guest accounts. In that custom result, change the option for reauthentication and set the timer consistent with the length of the guest account duration. When that time gets to zero, the guest session should get a CoA and user traffic will be rediected to the Guest portal for a new login.

Content for Community-Ad