Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
741
Views
0
Helpful
4
Replies

ISE CWA Sponsored Guest Access: Endpoint Purge vs Account validity

Go to solution
Martin Grimm
Level 1
Level 1

‎11-15-2022 12:43 AM

Hi Folks,

i have some Brain/Knots in my head regarding the following situation:

1. Customer wants Sponsored Guest Access and Guests should not get the Splash Page every time they associate to the WLC
2. There are 3 Guest Types in our deployment: 1 Day, 3 Day and 5 Day Access
3. A 3 Day access guest should not get the splash page within the 3 days period after log in successful the very first time

So i know about ISE Guest Remember-me function to look at the GuestEndpoint Identity Group.
But the problem is: If the guest account expires, ISE do not purge the EndpointID from database.

So if i purge all GuestEndpoints every 3 days for example, a 1 Day Guest Account Device will remain 3 days active and could use the network ressources. On the other Hand, if i purge every day, a 3 Day and a 5 Day guest will get the Splash Page every day.

How can we solve that? 
Is there any logical decision in ISE to move all Endpoints with a given Guest-Account, that is expiring, to the Unknown Endpoint Group? So from Endpoint Attributes, ISE has this information already.

Regards

Martin

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ahollifield
VIP
VIP

‎11-15-2022 06:15 AM

Edit the Guest Type and change the "Endpoint identity group for guest device registration" field to a unique value or each Guest Type.

ahollifield_0-1668521743079.png

 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
ahollifield
VIP
VIP

‎11-15-2022 05:21 AM

Based on which guest type the endpoint is associated, register the endpoints to a endpoint identity group.  Create three different endpoint purge rules for each of the three endpoint identity groups based on how long they should remain "cached"..

0 Helpful

Go to solution
Martin Grimm
Level 1
Level 1

‎11-15-2022 05:57 AM

Good point, but i only seeing Identity Groups based on the guest types. How do you register those endpoints to the right endpoint identity group? I have no lab for testing yet. So from my understanding ISE will create only the corresponding identiy group to the guest type, no endpoint group. If i use the Sponsored Guest Access Portal, all endpoints are registered to the GuestEndpoint Group.

Regards,

Martin

0 Helpful

Go to solution
ahollifield
VIP
VIP

‎11-15-2022 06:15 AM

Edit the Guest Type and change the "Endpoint identity group for guest device registration" field to a unique value or each Guest Type.

ahollifield_0-1668521743079.png

 

0 Helpful

Go to solution
Martin Grimm
Level 1
Level 1
In response to ahollifield

‎11-15-2022 10:28 AM

Ok, thank you. I did not see this option for a 1000 times  :-), funny thing.

Regards,

Martin

0 Helpful
Customers Also Viewed These Support Documents