06-23-2018 11:53 AM - edited 02-21-2020 10:59 AM
Hello Community,
I have a customer that wants guest users expire be blocked for some time (one day) after that time they get authorize to reauthenticate again through the captive portal.
It’s possible?
Thanks a lot
06-23-2018 06:12 PM
Hi
Never had such request before but I'm quite sure this isn't possible. I mean an account is valid for x days and during this x days, the guest user can authenticate without issues.
There's no option saying block the user and then re-authenticate him again.
Can you check maybe on api if there's something to activate again expired users. If yes, you will need to have them for 1 day and execute a scheduled script that will allow them again 2 days after.
06-24-2018 06:55 AM
06-24-2018 03:45 PM
Ok what your customer wants is not possible in ISE, i mean i don't see any workaround making it working.
Usually you allow guest for x days and if they come back they'll go through the same process again. And more than that if you granted them access for 2 days, they can connect as much as they want.
Maybe there's another solution but can you detail the real use case?
06-25-2018 12:15 PM - edited 06-25-2018 12:18 PM
hay que aclarar algo, la cuenta guest dura un periodo especifico de dias luego de lo cual expira y NO se puede reusar porque ya no esta vigente. PERO esa cuenta se puede "reinstate" manualmente por el administrador del ISE. Tendrias que investigar si se puede crear un script que busque por ese usuario en la base de datos y reinstale/reactive esa cuenta de invitado que estaba expirada luego de un numero X de dias a tu criterio SINO, hacerlo a mano como te senale antes.
06-25-2018 12:20 PM
Hola
Si claro tienes toda la razón el tema es que yo monté un Script sobre un portal auto register para que funcionara como Hot Spot pero solicitando datos. (Nombre y correo)
Entonces la idea es que esos usuarios que se autoregistran no lo hagan constantemente, si no que duren bloqueados cierto tiempo.
Muchas gracias por tu tiempo.
06-25-2018 12:25 PM
No le encuentro sentido a que permitas un autoregistro y que no puedan usar la cuenta de inmediato.
06-25-2018 12:30 PM
No, mira el tema es así:
1. El usuario usa el portal, se registra e inmediatamente brinda acceso a internet por una hora.
2. Al terminarse la hora la cuenta expira y el usuario ya no tiene acceso.
3. Nuevamente el usuario va a intentar conectarse, nuevamente se despliega el portal cautivo donde el usuario nuevamente hace el proceso con otro nombre y le da acceso a internet.
Lo que quiere el cliente es que el paso 3 solo sea permitido un día después, es decir que el mismo usuario (PC-Celular) no pueda reconectarse nuevamente.
Gracias
06-25-2018 12:47 PM
Hi Leo,
I suspect you will have to create an AUTHZ Policy using MAB.
Not sure if the following helps:
1.-Initial Guest Account creation, 1 hour use. Successful access. MAC address enduser device automatically added to an ISE Endpoint Group.
2.-1 hour later, account expired but the MAC is still in the DB
3.-User tries to create another Guest account with different username/email, hits an AUTHZ policy that says IF MAC in GuestEndpoint DB then deny access OR redirect to a warning page that could say something like: "you have reach the maximum amount of allowed wireless internet service".
4.-You purge the Guest Endpoint Group every 24 hours.
06-25-2018 12:50 PM
Hi,
I already did that but for some reason after a couple of minutes I get kick off, maybe the ISE check's time to time something about policies matching or some process that make me hits that rule.
Thanks a lot for your time.
06-25-2018 01:15 PM
802.1x requires an entire reauthentication (not reassociation) when roaming. Not sure if the same happens on CWA. Just to be safe, do you have session timeout enabled on that SSID?
06-25-2018 01:17 PM
Yes, the default 1.800.
Thanks
06-25-2018 12:31 PM
I'm sorry to disturb but if the post starts in English, it would be appreciated to continue in the same language, then everybody can help and understand what's going on.
06-25-2018 12:40 PM
Yes, I agree.
Sorry about that.
I was explaining the process that my customer want's to blocked or not permit.
The flow is something like this:
1. Users connect to the SSID with CWA (Auto register with HTML mod for Hot Spot) fill the form a get access to Internet for one hour.
2. After that hour the users get expired and finally kick out.
3. The users try to reconnect and again the CWA is displayed, then the user fill again the form with another name and get access to Internet for another hour.
What my customer wants is to block for certain time that user (PC-Smartphone) to get reconnected.
Thanks and again sorry for the language.
06-25-2018 01:01 PM
When you say for certain time, does this means specific hours in the day or wait x minutes/hours after its last login?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide