This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Hello Community! I'm trying to design a way for a Guest account with AD credentials as an employee to login and after 2 hours be purged and forced to sign back in to the captive portal. This needs to be automatic without a sponsor. I only see options for 1 day in purge settings.
The Endpoint Purge is mainly used as part of the Remember Me guest scenario. Without that configuration, a guest user would have to go through the WebAuth login every time the session timeout on the SSID was reached. I assume you want a longer session ID and Remember Me for your true Guest logins, so you could try the following for your Employee logins.
The user experience may be a bit clunky depending on the type of endpoint they are using, so they might get kicked off the SSID or lose connectivity and have to disconnect/reconnect to the SSID to get the webauth page again. Proper employee communication/training should be employed to set the right expectations.
Thank You so much, we will give it a shot on a test ssid. We are using Meraki as our wireless. Would it perform the same as a WLC?
Meraki MR platforms do support CoA. The only other setting on the wireless side is the reauthentication pushed by ISE. I would be surprised if the MR does not support that AV pair, but you would need to test it out.
Thank You, I do see another contrition called, EndPoints·LastAUPAcceptanceHours
If I set this above the normal authz access for employees for 2 hours to redirect to the CP. It should prompt them to log in? Do you know if this will generate another successful authentication? I ask because I have a syslog sender to my palo alto to parse successful auths and match a username to ip, and that is set to purge that match after 2 hours.
Using that condition would require the AUP page to be presented every time the user is redirected to the portal. As per the steps I shared earlier, you should be able to do what you want without the added annoyance of constantly be prompted with an AUP.
Any time there is a reauthentication, it should generate a new session.
Thank You it works both ways. The requirement from my customer is for it to be accepted every 2 hours. As for the staff communication and training, its on them. From an Engineering standpoint, the solution is performing.