Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2182
Views
5
Helpful
1
Replies

ISE guest portal - Duration of access

FernandoDiaz1992
Level 1
Level 1

‎10-22-2021 12:29 AM - edited ‎10-22-2021 12:56 AM

I have a guest portal for wireless clients and in the authorization policy I use the condition of "Guest Flow", and in the WLC I have disabled the "Session Timeout" of the WLAN.
The documentation indicates that with this configuration the guests will only enter their credentials the first time they connect to the Wi-Fi network, and in the following connections the credentials are not requested.


1) I want to know how I go about providing limited time access to guests under that scenario.
2) What is the function of the time I assign to each type of guest (1 week, 1 day, 1 month)?
3) If I create authorization policies based on "Endpoint Group" and eliminating the "Guest Flow", then can I control the duration of access to the Wi-Fi network using the "Purge" option?

4) If an employee logs in to the guest portal and inherits the profile of a 1 week guest type.

- Will that employee only have access for that limited time (1 week)? Or will he also enter his credentials the first time, and in the following connections the credentials will not be requested?.

- How does the ISE control this "limited time access"?

1 Reply 1

Arne Bier
VIP
VIP

‎12-15-2021 01:35 PM

Hi @FernandoDiaz1992 

 

One good reference for ISE Guest Design is the Guest Prescriptive Design Guide by Jason Kunst from Cisco.

 

I tend not to use the Guest Flow concept for long term access because it relies on the WLC's session maintenance to keep that flag=true. Guest Flow is set to True inside of ISE when the user has just logged into a portal and ISE received the RADIUS Accounting Start from the WLC. However, when WLC terminates the session, then the flag is False.

A more persistent approach is to use MAC address "Remember Me" feature. Put the MAC address of each type of Guest into their own Endpoint Identity Group. e.g. create three Endpoint Identity Groups

"Daily_Guests", "Weekly_Guests", "Monthly_Guests"

And for each of the respective Guest Types, set their Endpoint Identity Group to use the above. When a user of each type logs in, then their MAC address goes into the respective Group.

The Endpoint Identity Purging then needs to be setup for each group - 

Daily Guests - if older than 0 days

Weekly Guests - if older than 7 days

etc.

 

That's a granular approach. And perform the purging at midnight. In most cases this is reasonable if the guest access is used during normal business hours.

 

Hope that helps. There are other older postings of people who have granted very short periods of time (minutes) - I think for those cases the Guest Flow might be better suited.

0 Helpful
Customers Also Viewed These Support Documents