cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3874
Views
1
Helpful
6
Replies

ISE guest account purge scenario

lepinto
Cisco Employee
Cisco Employee

A customer of mine has a self registered guest portal where guests can self register and they assign the accounts created by guests to guest type:Daily which gives access to their wifi for 1 day. So users get access for a day from the time of login.

The Issue they are facing is after the guest account is expired (at the end of 1 day) users cannot use same username to reregister because that user account is not purged since purge only occurs once daily for expired accounts.

For Example: If a user registers at 1PM today, user will have access till 1PM tomorrow. At 1:05 PM tomorrow he will try to re-register with same username that he used yesterday but will not be successful because user gets an error “user already exists” since the purge will only occur at night tomorrow.

Is there any way to purge/delete the expired guest accounts immediately or delete all guest accounts(expired or otherwise) once every day without any manual intervention?


Have you seen a similar setup/requirement in any other customer deployment or can provide any suggestions/workarounds?


Regards,

Lester Pinto

RTP-AAA TAC

2 Accepted Solutions

Accepted Solutions

Jason Kunst
Cisco Employee
Cisco Employee

Sorry known limitation, no way to renew an account via self-registration

Please have account team reach out to ameet kulkarni guest PM for feature request.

View solution in original post

Is there a reason you’re not using the purge mechanism on ise ?

Otherwise here are a few tips and tricks

https://community.cisco.com/t5/security-documents/ise-guest-sponsor-api-tips-amp-tricks/ta-p/3636773

View solution in original post

6 Replies 6

Jason Kunst
Cisco Employee
Cisco Employee

Sorry known limitation, no way to renew an account via self-registration

Please have account team reach out to ameet kulkarni guest PM for feature request.

Craig Hyps
Level 10
Level 10

Programmatic changes would require use of ERS API.  For example, you could use ERS API to perform specific guest/endpoint operations on a scheduled or triggered basis, but there is no specific feature in UI to purge endpoint upon guest account expiry.

Hi,

 

Is there any way we can bulk delete the expired accounts through ERS API?. I was able to do it for individual accounts (using the user id), but cannot find a way to do for multiple accounts

 

BR

Shabeeb

Is there a reason you’re not using the purge mechanism on ise ?

Otherwise here are a few tips and tricks

https://community.cisco.com/t5/security-documents/ise-guest-sponsor-api-tips-amp-tricks/ta-p/3636773

Hi Jason,

 

Thanks a lot for your reply. Our setup is as follows

 

We are using self registration for guest users and applied a script ( followed your article in another thread) in the portal to treat the phone number as the username. The guest user accounts are given one day of duration and the purge time is let's say 12:00 am everyday. Now we have an issue that if a user registered yesterday at 8:00 am then his account has a duration till the today 8:00 am and the account will be in expired state after that. But the since the account does not get deleted until tomorrow morning 12:00 am , the user cannot register again with the same phone number  ( since the same username exists) till tomorrow 12:00 am. The logical fix for this issue is to delete the user account when it expires, but unfortunately ISE does not have that option it seems. This is the reason why I am looking for the API option. But I am just curious why ISE is not deleting the user account when it expires?. Is there any advantage keeping the account in expired state?.

 

Regards

Yes we keep the user account in case someone wants to extend or reinstate it

You might have better luck allowing user to create account that lasts longer than expected so they won’t run into this issue and make your management easier