09-15-2016 10:42 AM
All,
I'm looking for a way to quarantine a user account, doing EAP-TLS authentication and posturing, if they don't log into the network after a certain amount of days. I've opened up a TAC case with this request, and it looks like there is no native way for Cisco ISE to determine the last time a user last logged in and then create a policy around that.
This request came through originally as q request to configure the "inactivity timer" which is defaulted to 30 days, however, this timer is just the amount of time Cisco ISE keeps track of the endpoint data before it purges it. Nothing to do with AuthC or AuthZ policies.
Basically looking to include this in an Authorization Policy:
Determine if the client has logged in within 30 days, IF NOT = Remedation Policy or Quarantine Policy.
Any ideas, built in to ISE or not, are all welcome.
Solved! Go to Solution.
09-15-2016 03:08 PM
If the customer is using AD, there are ways in AD to disable user accounts after a certain in-activity e.g.
Under ISE, we can purge Guest users after a configured in-activity
09-15-2016 03:08 PM
If the customer is using AD, there are ways in AD to disable user accounts after a certain in-activity e.g.
Under ISE, we can purge Guest users after a configured in-activity
10-01-2016 12:41 PM
Thank you. It looks like Cisco ISE can't do this without AD making changes to the user account. I discussed this with a few Microsoft AD engineers and they will be developing a script for me. I'll share it here when they put it all together.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide