Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


Guest account expires after 2 hours and relogin

Hello Community! I'm trying to design a way for a Guest account with AD credentials as an employee to login and after 2 hours be purged and forced to sign back in to the captive portal. This needs to be automatic without a sponsor. I only see options for 1 day in purge settings. 


Thank You,

Greg Gibbs
Cisco Employee

The Endpoint Purge is mainly used as part of the Remember Me guest scenario. Without that configuration, a guest user would have to go through the WebAuth login every time the session timeout on the SSID was reached. I assume you want a longer session ID and Remember Me for your true Guest logins, so you could try the following for your Employee logins.

  1. Create a new Endpoint ID Group to separate the Employee endpoints from the Guest ones (e.g. Employee_Guest_2hours)
  2. Create a new Guest Type (e.g. Employee_2hours) that uses the new EIG for device registration
  3. Update your Guest Portal to use that Guest Type for the 'Employees using this portal as guests inherit login options from' setting
  4. Create a new AuthZ Profile (e.g. AuthZ-Wireless-Emp-Guest) and enable the Common Task for Reauthentication with a timer of 7200 seconds to override the SSID setting.
  5. Create a new AuthZ Policy rule above the others that matches on the employee AD Group (e.g. Domain Users, or something more specific if needed) and applies the new AuthZ Profile.

The user experience may be a bit clunky depending on the type of endpoint they are using, so they might get kicked off the SSID or lose connectivity and have to disconnect/reconnect to the SSID to get the webauth page again. Proper employee communication/training should be employed to set the right expectations.

Thank You so much, we will give it a shot on a test ssid. We are using Meraki as our wireless. Would it perform the same as a WLC?

Meraki MR platforms do support CoA. The only other setting on the wireless side is the reauthentication pushed by ISE. I would be surprised if the MR does not support that AV pair, but you would need to test it out.

Thank You, I do see another contrition called, EndPoints·LastAUPAcceptanceHours


If I set this above the normal authz access for employees for 2 hours to redirect to the CP. It should prompt them to log in? Do you know if this will generate another successful authentication? I ask because I have a syslog sender to my palo alto to parse successful auths and match a username to ip, and that is set to purge that match after 2 hours.

Using that condition would require the AUP page to be presented every time the user is redirected to the portal. As per the steps I shared earlier, you should be able to do what you want without the added annoyance of constantly be prompted with an AUP.

Any time there is a reauthentication, it should generate a new session.

Thank You it works both ways. The requirement from my customer is for it to be accepted every 2 hours. As for the staff communication and training, its on them. From an Engineering standpoint, the solution is performing.

Recognize Your Peers
Which of these topics should we host an event in the Community?

Top Choice: ISE Demo (100%)

Content for Community-Ad

ISE Webinars

Did you miss a previous ISE webinar?

CiscoISE YouTube Channel