10-22-2021 12:29 AM - edited 10-22-2021 12:56 AM
I have a guest portal for wireless clients and in the authorization policy I use the condition of "Guest Flow", and in the WLC I have disabled the "Session Timeout" of the WLAN.
The documentation indicates that with this configuration the guests will only enter their credentials the first time they connect to the Wi-Fi network, and in the following connections the credentials are not requested.
1) I want to know how I go about providing limited time access to guests under that scenario.
2) What is the function of the time I assign to each type of guest (1 week, 1 day, 1 month)?
3) If I create authorization policies based on "Endpoint Group" and eliminating the "Guest Flow", then can I control the duration of access to the Wi-Fi network using the "Purge" option?
4) If an employee logs in to the guest portal and inherits the profile of a 1 week guest type.
- Will that employee only have access for that limited time (1 week)? Or will he also enter his credentials the first time, and in the following connections the credentials will not be requested?.
- How does the ISE control this "limited time access"?
12-15-2021 01:35 PM
One good reference for ISE Guest Design is the Guest Prescriptive Design Guide by Jason Kunst from Cisco.
I tend not to use the Guest Flow concept for long term access because it relies on the WLC's session maintenance to keep that flag=true. Guest Flow is set to True inside of ISE when the user has just logged into a portal and ISE received the RADIUS Accounting Start from the WLC. However, when WLC terminates the session, then the flag is False.
A more persistent approach is to use MAC address "Remember Me" feature. Put the MAC address of each type of Guest into their own Endpoint Identity Group. e.g. create three Endpoint Identity Groups
"Daily_Guests", "Weekly_Guests", "Monthly_Guests"
And for each of the respective Guest Types, set their Endpoint Identity Group to use the above. When a user of each type logs in, then their MAC address goes into the respective Group.
The Endpoint Identity Purging then needs to be setup for each group -
Daily Guests - if older than 0 days
Weekly Guests - if older than 7 days
etc.
That's a granular approach. And perform the purging at midnight. In most cases this is reasonable if the guest access is used during normal business hours.
Hope that helps. There are other older postings of people who have granted very short periods of time (minutes) - I think for those cases the Guest Flow might be better suited.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide