Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2379
Views
0
Helpful
5
Replies

Cisco ISE CWA Logout

Benjamin Pfister
Level 1
Level 1

‎12-20-2015 04:33 AM - edited ‎03-10-2019 11:20 PM

Hello Community,

We are searching for a solution regarding Wired CWA with ISE 1.4. Problem is that we have several public space computers where users should log in to use the internet connection. After they have finished they should log off so that next user should have to log in. Inactivity timer on our switches does not work properly because these are windows 7 computers which e.g. do updates in the background. Is there any possibility to force log off the user via REST-API or something?

Best Regards,

Benjamin

Labels:
0 Helpful
5 Replies 5

jan.nielsen
Level 7
Level 7

‎12-21-2015 09:41 AM

ISE has a REST based API, that you can use to manage session in the ISE session database, you can use the CoA disconnect method to kick users off

http://www.cisco.com/c/en/us/td/docs/security/ise/1-4/api_ref_guide/api_ref_book/ise_api_ref_ch4.html#pgfId-1065844

0 Helpful

Benjamin Pfister
Level 1
Level 1
In response to jan.nielsen

‎12-23-2015 04:15 AM

Thanks for your Suggestion. I tested session disconnect and reauth API call successfull but after CoA action I saw a "Dynamic Authorization succeeded" event in authentication logs. Our users are not redirected to webauth login and session is not terminated. As i saw in API documentation, there is no true session terminate CoA action. Is there any other possibility?

Best Regards,

Benjamin

0 Helpful

jan.nielsen
Level 7
Level 7
In response to Benjamin Pfister

‎12-23-2015 04:39 AM

Dynamic Authz Succeeded is supposed to be there, it's just an indication of the CoA has successfully been delivered to the NAD, but if you are using the automatic device registration on your guest portal you use for CWA, it won't do anything useful, as the mac address is just validated once the user is reconnects to the network. To figure out whats going on, you should be able to see whats happening in ISE once you have sent the CoA disconnect call, maybe post the it so we can figure out why its not working.

0 Helpful

Benjamin Pfister
Level 1
Level 1
In response to Benjamin Pfister

‎12-23-2015 04:40 AM

Option 0 (Default) in disconnect Action is working now. Thanks for your Support.

0 Helpful

domesd001
Level 1
Level 1

‎12-11-2018 07:21 AM

Hi Benjamin,

 

We have a similar setup and are looking for a solution to have users "sign out" of a CWA session.

 

What was your final solution to this?


Thanks

0 Helpful
Customers Also Viewed These Support Documents