This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I want to avoid to have guest user connected to my network while their account are expired.
I know that if I disconnect the cable and connect again they will not be able to login again due to the expiration.
But I want to set some purge configurations so that they are bounce to the network if their account expired when they are connected.
Thanks for helping!
I am not aware of such option (delete endpoint from ISE when guest account expires.) I think what would work here nice here is for ISE to send CoA (Change of Authorization) when the guest account expires. I don't believe that this happens today. Perhaps someone else can chime in here.
In the meantime I would suggest using re-auth timers that will force the guest users to re-auth periodically (let's say once a day). That way if the guest account is expired, the guest user will no longer be able to authenticate.
I hope this helps!
Thank you for rating helpful posts!
Unless Cisco fix this, i don't see any other way, except using the Guest API to check for account expiration, however i'm not sure how you can see what mac address/sessionid is using the account, so you can delete the endpoint and kick the user. The Guest username might be stored with the endpoint data.
I haven't had a chance to verify, but try this...
Instead of the default out-of-the-box "Access accept" authorization profile result, define a custom one that is a copy of that one and use if for your time-limited guest accounts. In that custom result, change the option for reauthentication and set the timer consistent with the length of the guest account duration. When that time gets to zero, the guest session should get a CoA and user traffic will be rediected to the Guest portal for a new login.