cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2007
Views
0
Helpful
3
Replies

ISE Guest Account expiration with Hotspot

noferrer
Cisco Employee
Cisco Employee

How can I configure the guest users using hotspot access with AUP accept only so that their accounts expire after 12 hours and after expiration they will be presented with the AUP portal again for having access granted?

Right now it seems like once the user accepts the AUP they always get access granted with accounts never expiring.

I found you need to add a Condition to the Wireless Guest Authorization Policy Set with Network Access:UseCase EQUALS Host Lookup but I’m not sure where can I remove guests after 12 hours so that this condition is met.

I'm using ISE 2.1.

1 Accepted Solution

Accepted Solutions

Jason Kunst
Cisco Employee
Cisco Employee

Hotspot simply registers the endpoint into the guest endpoint group and relies on endpoint purge policy (default is 30 days) to remove the endpoint

I would suggest you set it to equal to 0 days so that when the default purge happens at 2am the endpoint is removed

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/118741-configure-ise-00.html

Sent from my iPhone

View solution in original post

3 Replies 3

Jason Kunst
Cisco Employee
Cisco Employee

Hotspot simply registers the endpoint into the guest endpoint group and relies on endpoint purge policy (default is 30 days) to remove the endpoint

I would suggest you set it to equal to 0 days so that when the default purge happens at 2am the endpoint is removed

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/118741-configure-ise-00.html

Sent from my iPhone

So, then what would be the use of this:

Configure Periodic AUP Acceptance

Browse to Policy > Authorization, and create a new authorization rule at the top of the list that redirects the Guest user to a credentialed portal when the AUP period has expired. Use conditions to compare LastAUPAcceptanceHours against the desired maximum hours, for example, LastAUPAcceptanceHours > 8 . You can check for a range of hours from 8 to 999.

Cisco Identity Services Engine Administrator Guide, Release 2.1 - Configure Guest Access [Cisco Identity Services Engin…


I thought this will pop-up the AUP portal after 12 hours.

This is only used for flows where a user is involved . A credentialed web auth flow where the user has to login to a portal, this can be a sponsor or self-ref portal

And it doesn't pop up the Aup when they are connected, it only shows up when they come through the flow again using a new connection

The authorization would look like this try it out pretty sure it's what you need

If guest endpoint and aup > 12 hours permit access

If guest endpoint and aup < 12 hrs redirect to credentialed guest portal for aup acceptance

If mab then redirect to credentialed guest portal

Sent from my iPhone