cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

403
Views
15
Helpful
1
Replies
MALi-786
Beginner

How to restrict guest making new account after expiration

I deployed ISE with guest self registration on the Web Portal.

I want the guest (ex: AndroidPhone with Mac address: xx:xx) to be able to get 1 hour of internet access per day.

I know that using Time profile I can limit the guest to 1 hour of access, but how can I give the guest access each day.

Requirements:

--- I want to make this phone create only one account. ( How can I limit his mac address from creating new accounts when his account will expire in one hour)?

--- After 1 day, I want to give the same phone access (I don't mind if it is a new account or the same account as the day before)

 

How can we make this happen? Otherwise, every time the account expires, the phone will be able to auto-register with a new account.

1 ACCEPTED SOLUTION

Accepted Solutions
thomas
Cisco Employee

Unclear what the real issue is here and why you are being so restrictive but .... here you go:

You may create a 1_Hour_Guest type as shown below.

I assume you're talking about a HotSpot scenario since I cannot imagine such overhead for anyone taking the time to Register or be Sponsored. However, HotSpot tracks users by MAC address - not be a login username/password - and all modern mobile devices randomize their MAC address which would defeat your 1-hour policy immediately.

This means you would need to do a Self-Registered or Sponsored guest portal.

I don't think 1-hour of Internet access is worth the time of your Sponsoring employee(s) to approve [random] guests for a single hour of access every single day. If it truly is, this is your best option because you ultimately have a human sponsor approving them - or not - for every access request for every hour of every day.  8-/

This leaves you with Self-Registered where you can mitigate random MACs bypassing the HotSpot limitations by using a username/password for logins and use their mobile phone number as the username and SMS them their password. They might carry 2 phones but otherwise that should limit it.  8-)

Finally, if none of this is perfect for you, there is always the custom, API-based guest solution where you could even register them outside of ISE and put them in and out of Allow/Blocklists for enforcement by ISE.

 

Screen Shot 2021-02-17 at 11.45.58 AM.png

 

Screen Shot 2021-02-17 at 11.17.25 AM.png

 

 

View solution in original post

1 REPLY 1
thomas
Cisco Employee

Unclear what the real issue is here and why you are being so restrictive but .... here you go:

You may create a 1_Hour_Guest type as shown below.

I assume you're talking about a HotSpot scenario since I cannot imagine such overhead for anyone taking the time to Register or be Sponsored. However, HotSpot tracks users by MAC address - not be a login username/password - and all modern mobile devices randomize their MAC address which would defeat your 1-hour policy immediately.

This means you would need to do a Self-Registered or Sponsored guest portal.

I don't think 1-hour of Internet access is worth the time of your Sponsoring employee(s) to approve [random] guests for a single hour of access every single day. If it truly is, this is your best option because you ultimately have a human sponsor approving them - or not - for every access request for every hour of every day.  8-/

This leaves you with Self-Registered where you can mitigate random MACs bypassing the HotSpot limitations by using a username/password for logins and use their mobile phone number as the username and SMS them their password. They might carry 2 phones but otherwise that should limit it.  8-)

Finally, if none of this is perfect for you, there is always the custom, API-based guest solution where you could even register them outside of ISE and put them in and out of Allow/Blocklists for enforcement by ISE.

 

Screen Shot 2021-02-17 at 11.45.58 AM.png

 

Screen Shot 2021-02-17 at 11.17.25 AM.png

 

 

View solution in original post

Content for Community-Ad