I'm thinking that it would be based on the command:

authentication timer reauthenticate xxxx

I'm not sure I've seen anthing that sends a CoA on expiry of a guest account, the switch would have to trigger.

If you clear suth sess int fa0/2 what does it do then?

You will not be able to see sponsor created accounts within the guest account section. This lists only accounts created manually through the ISE GUI. As far as I know the only way to see the sponsor created accounts is through a sponsor all account on the sponsor portal (for all of them), or through the individual sponsor own/sponsor group.

I am confused on how the revocation of access occurs for a guest account.  From what I have experienced as long as the guest doesn't unplug their device (only testing wired now) they have full guest access even if thier account expires or is suspeneded.  Does the "authentication timer reauthenticate xxxx" tell the switch to check the status of each port to determine if is valid?  My lack of knowledge might be the issue here, but I would expect that the authorization part would go back to "web auth" if the users account has been disabled or suspended. 

To answer your question, if I clear the aut session int fa 0/2, the port goes past the authentication MAB and then hits the CWA Authorization profile.  If the use attempt to browse they are presented with the guest login portal.  This what I would have expected automatically when the account has expired.

Thanks,

Joe

yes i got the same problem ,

plus i noticed that this issue appears when the guest accounting is made via wired device (cat3750 , or cat 4500 ) ,

but not via a wireless device ( ex : WLC don't seems to suffer of the same problem ) ,

So the ISE can send some type or CoA to the WLC but can't to a switch?  Do you see any messages that come from ISE to the WLC that aren't present when guest account expires for wired?

This seems to be a feature that could be implemented or am I over simplifying this?

Thanks,

Joe

We are running version 1.1.4.218.

If I do a CoA from the Session Directory, Radius Active Sessions, I do see that the port does change status.  I would expect that this proves ISE can do a CoA on the switch, correct?

If ISE doesn't do a CoA on a guest account switch port and there is no authentication timer reauth xxxx command on the port then after the guest authenticates there is no restriction to the port until the port state changes? 

Thanks,

Joe

I put the command authentication timer reauthenticate 60 on interface fa0/2, setup a guest account that was restricted to 1 hour.  The guest account has now expired but the interface still shows authenticated:

ISEtest3560#show authentication sessions interface fastEthernet 0/2

            Interface:  FastEthernet0/2

          MAC Address:  001d.09cb.78bd

           IP Address:  10.2.8.31

            User-Name:  gtest@test.com

               Status:  Authz Success

               Domain:  DATA

      Security Policy:  Should Secure

      Security Status:  Unsecure

       Oper host mode:  multi-auth

     Oper control dir:  both

        Authorized By:  Authentication Server

           Vlan Group:  N/A

              ACS ACL:  xACSACLx-IP-GUEST-524448ff

      Session timeout:  N/A

         Idle timeout:  N/A

    Common Session ID:  0A0003E60000004F1EAC0F55

      Acct Session ID:  0x000004B4

               Handle:  0x0D00004F

Runnable methods list:

       Method   State

       dot1x    Failed over

       mab      Authc Success

I assume that the value for the command is in seconds, correct?

Thanks,

Joe

joeharb wrote:
I put the command authentication timer reauthenticate 60 on interface fa0/2, setup a guest account that was restricted to 1 hour.  The guest account has now expired but the interface still shows authenticated:

Hi joe ,

regarding "reauthenticate xx" command , 60 min is default timer  for reauth , a swichport with no specific setting does reauth every 60  min automatically , i personally tried every variation of reauth/deauth commands on the switchport

but nothing seems to work.

"WLC connected guests" seems to perform the CoA but is quite diffrent scenario ;

since we use a vlan "Xxx" as a "limbo" space where we

got fews acls redirecting traffic from the lan to our ISE policy server nodes in order to be authenticated,

I suppose , but maybe i'm wrong , that somehow changing ip from the limbo VLAN to the one where the host is suppose to land according to our ISE policy made ise "wakeup" and force it to send a CoA to the WLC.

Otherwise in the wired scenario ,the vlan where hosts are when they're  authenticating is the sameone used

for navigation , so the catalyst switch somehow still"belive" to be in front of a valid ( still auth ) connection

and permit the host to make traffic.

As you suggest i gotta check the WLC log output when a guest expires ...see what we got different from the CAT4500 one.

ByeZ

eugenio