Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
918
Views
0
Helpful
2
Replies

Is it possible to only allow a endpoint on for so long in a day?

craiglebutt
Level 4
Level 4

‎09-21-2020 04:48 AM

We use a WLAN with PSK to allow configuring of Apple Devices and update to get on to corporate WLAN.

But people share this PSK around and add their own devices.

 

Currently this doesn't go via the ISE, but I'm looking at using iPSK with the ISE

Is it possible to force a time out and not allow a devices back on after a prefixed time?

 

Cheers

0 Helpful
2 Replies 2

Mike.Cifelli
VIP Alumni
VIP Alumni

‎09-21-2020 08:39 AM

IMO you have a couple of options.  One specific option includes the ability to limit/restrict access by utilizing a 'Time and Date' condition that then gets referenced in the authz policy.  When using Time and Date conditions you have the ability to set specific hours, specific date ranges, etc.  You just need to ensure devices hit your authz policy.  HTH!

0 Helpful

thomas
Cisco Employee
Cisco Employee

‎09-22-2020 07:52 AM

Limiting an endpoint's session by time and preventing personal devices are two separate issues with separate solutions. I understand why you may not want people to connect personal devices but using a pre-shared key does not give you user accountability so you need to do things differently. iPSK will only create more work for you and your users because you need to manually add each MAC with a unique pre-shared key.

 

Limiting an Endpoint by Session Time

This is a standard Guest feature where you may limit by the number of hours either by time of day (8am-5pm) or by a  time limit from first connect (4 hour limit). This is not possible in ISE for non-guest users. See Configuring Guest Type Access Times, Location, and Time Zone.

 

Bring Your Own Device (BYOD)

Differentiating access for corporate vs personal devices is the purpose of BYOD. You typically provision corporate assets with certificates so you know they are managed. This may also be done with an MDM then authenticated with ISE. Personal devices could then simply use Guest access or the employee's username/password for authentication.  You could also provision a separate certificate to personal devices as part of BYOD enrollment. See Cisco ISE BYOD Prescriptive Deployment Guide > Solution Deployment Considerations.

0 Helpful
Customers Also Viewed These Support Documents