Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2448
Views
0
Helpful
7
Replies

Cisco ISE 2.0 Purge/Remove Endpoint as soon as guest account expired

ZINSOU ADAM JOCELYN ADISSO
Level 1
Level 1

‎04-11-2016 09:31 AM - edited ‎03-10-2019 11:39 PM

Hi,

I want to avoid to have guest user connected to my network while their account are expired.

I know that if I disconnect the cable and connect again they will not be able to login again due to the expiration.

But I want to set some purge configurations so that they are bounce to the network if their account expired when they are connected.

Thanks for helping!

Labels:
0 Helpful
7 Replies 7

nspasov
Cisco Employee
Cisco Employee

‎04-11-2016 01:46 PM

I am not aware of such option (delete endpoint from ISE when guest account expires.) I think what would work here nice here is for ISE to send CoA (Change of Authorization) when the guest account expires. I don't believe that this happens today. Perhaps someone else can chime in here. 

In the meantime I would suggest using re-auth timers that will force the guest users to re-auth periodically (let's say once a day). That way if the guest account is expired, the guest user will no longer be able to authenticate. 

I hope this helps!

Thank you for rating helpful posts!

0 Helpful

ZINSOU ADAM JOCELYN ADISSO
Level 1
Level 1
In response to nspasov

‎04-12-2016 01:57 AM

Hi Neno,
Thank you for your answer.

Assume that the guest account expire at 9:00 AM while the user is connected and the guest didn't unplug the rj45 cable. if the re-auth periodicity is set to once a day, the guest will stay connected all the day.
I want to block that of happening.
I also think that today there is no solution to block that on a wired environment. And I want to know if someone has a way to solve the issue.
In a Wireless environment ISE sends a CoA and the WLC disconnects the guest when the account expired.
It will be nice if we could have the same behavour on the switch.
Thanks!
0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to ZINSOU ADAM JOCELYN ADISSO

‎04-25-2016 09:37 AM

Were you able to find a solution to this? Did you reach out to Cisco?

Thank you for rating helpful posts!

0 Helpful

ZINSOU ADAM JOCELYN ADISSO
Level 1
Level 1
In response to nspasov

‎04-28-2016 09:28 AM

No solution till now.

0 Helpful

jan.nielsen
Level 7
Level 7
In response to ZINSOU ADAM JOCELYN ADISSO

‎04-28-2016 02:46 PM

Unless Cisco fix this, i don't see any other way, except using the Guest API to check for account expiration, however i'm not sure how you can see what mac address/sessionid is using the account, so you can delete the endpoint and kick the user. The Guest username might be stored with the endpoint data.

0 Helpful

Husum182
Level 1
Level 1
In response to jan.nielsen

‎09-04-2017 12:41 AM

Is there still no solution/workaround for this issue?
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Husum182

‎09-04-2017 01:39 AM

I haven't had a chance to verify, but try this...

 

Instead of the default out-of-the-box "Access accept" authorization profile result, define a custom one that is a copy of that one and use if for your time-limited guest accounts. In that custom result, change the option for reauthentication and set the timer consistent with the length of the guest account duration. When that time gets to zero, the guest session should get a CoA and user traffic will be rediected to the Guest portal for a new login.

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_01111.html#task_898C463BF3E14A069DB76D9707820CC7

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents