Dear Tarik,

               I managed to integrate the ISE with the WLC and make the guest users self generate their username passowrds.We are giving the user access of  maximum 1 hr per day.  But when I checked further I have seen the following behaviour for the guest access .

1) If I delete a guest user from the ISE database before 1 hr still he is able to access the network without any issues. I am expecting him to logout and asked for web authentication again . Is this possible or I am wrong??

2) Same scenario if  a users 1 hr time limit is expired still he is not forced to reauthenticate . If he is connected he stays connected and access the network.

3) I saw that eventhough the user has a limit of 1 hr even after one hour he can generate the user name and password again from the same device and use it for another one hour. We want to restrict the access such that for a device it should be one hour of access.

Please advise if these things are possible to be done in the ISE and if possible how we can do these things.

Your quick reply is highly appreciated.

Thanks in advance.

Shabeeb,

Please check and see if the CoA is enabled globally. Also what version of ISE are you running? If you are running 1.1 then have the users also perform device registration webauthentication after they authenticate through the guest portal successfully, what this does it that is allows the endpoint to be statically assigned to a endpoint group...i.e. guest devices.

You can then create a compound condition and then see if you can set a one hour offset against an attribute in the endpoint once it was profile. However it may take some testing for you to get this down. I havent personally configured this yet but I am sure it is possible.

Thanks,

Tarik Admani
*Please rate helpful posts*

Dear Tarik,

                If we delete the user from the ISE data base , still he is able to use the network unless he is disconnected from the WLC. Basically in our network the ISE not doing any control on the guest user other than simply giving him a portal to self generate the usernames and passwords. I am so frustrated with this box as I am a totally newbie to this one and there are not that much materials which describes these kinds of scenarios. This guest server is making things a lot complicated for the implementor than similar systems from other vendors i believe. Anyways am stuck up like anythin with this box and I don't know how I can resolve it. Thanks for your replies.

I understand your frustration. Check the settings for profiling under Administration > profiling and see what the COA field is set to. When you delete the endpoint ISE should issue a COA to the WLC and terminate that users session.

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_prof_pol.html#wp1340803

Thanks,

Tarik Admani
*Please rate helpful posts*

Dear Tarik,

               Thanks a lot  for your reply. I checked the ISE configuration and saw that under profiling its set to no COA. So if I need to achieve the requirement which I am looking for which option I need to choose ,  the port bounce option or the reauth option? .  I read the link which you have sent me . My question is that if I enable this COA  simply will it work or I have to create some end point profiling policies?. Am sorry if that was a stupid question.

Thanks in advance

Shabeeb Kunhipocker

Set the option to reauth, this should kick the user once the account is deleted.

You will have to create a time based profile to only allow one hour based on the previous post.

Sent from Cisco Technical Support iPad App

Thanks Tarik,

                   I ll definitely try that .  I am using the "default one hour " policy in the guest portal settings. I guess this is what you mean by time based profile. One more question. Right now am using a local web authentication from the WLC. To meet my requirement I can still use this or I have to choose CWA. I have seen options like " guest , CWA , both " in the guest portal settings. Please advise

Thanks in advance

Shabeeb Kunhipocker

There is a new feature which you can use device registration web authentication in 1.1 which will profile a device to a specific endpoint group. The current method that you are using will not prevent users from creating another user account.

What you can do after these devices are profiled using this method is to deny them to the guest registration page. First create a new endpoint group called guest-devices, then create two portals one for guest registration, another for device registration. For the device registration portal set the endpoint group to guest-devices.

First create a policy so that all users, but not guest-devices are redirected to the guest registration portal.

Second create another policy that allows Guest identity group to access but set the endpoint group to any and redirect to the device registration web authentication portal.

Third create a policy that combines the guest identity group with the guest-devices endpoint group to permit access.

Here is the flow if you get the policies ordered correctly.

A new endpoint connects gets redacted to the guest registration paged, user registers and authenticates.

Coa is issued since the user is now a guest user.

After coa the user is directed to the device registration page for profiling.

Once the user accepts the AUP the endpoint is now profiled and triggers another coa event.

Coa hits and now the user hits the permit access (user is a member of guest and now endpoint is a member of guest-devices)

Once the user account expires coa should trigger, or the session timeout value should have been set to 3600 seconds.

Now if the device tries to reconncect they will still be profiled as a guest-device and will not match a policy and should hit your default rule which is deny access.

This should get you in the right direction.

Sent from Cisco Technical Support iPad

Dear Tarik,

               As I told you earlier I am not that much familiar with the ISE. I created the two portals as you said ; one for guest registration and one for device registration. But to create policies from where can I do these??. If you can help me with the detailed configuration steps then that will be highly appreciated.

Thanks in advance

Shabeeb Kunhipocker.

Here is a link - http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_authz_polprfls.html

Thanks,

Tarik Admani
*Please rate helpful posts*

Thanks Tarik,

                  But please tell me how can i write a policy for example " all users, but not guest-devices are redirected to the guest registration portal" . I mean how I can configure a policy saying like the any user except the guest user should be redirected to the guest registration portal??.

Thanks in advance

Shabeeb Kunhipocker

I didn't forget about you, I will post a screenshot later on today.

Sent from Cisco Technical Support iPad App