cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
716
Views
0
Helpful
3
Replies

limit a user from creating more than one guest accounts per day from an endpoint.

hradhanp
Cisco Employee
Cisco Employee

We have integrated ISE and SMS gateway.


Now the customer requirement is one mobile device should only be able to generate username and password once in 24 hrs. Can we achieve the same through ISE ?


If yes then what policy we need to configure for that ?


Currently guest can create as many number of accounts as possible from that endpoint without logging in. We want to limit guest device to create username and password only once in 24 hours.

1 ACCEPTED SOLUTION

Accepted Solutions

Jason Kunst
Cisco Employee
Cisco Employee

Not natively, please get this info to our ISE Product Management team to add to the product feature request

You could limit them using device registration.

When they first come in they are redirected to guest portal.

After they go through the flow their MAC address is put into the Guest Endpoint group and then you base authorization off this flow.

If Guest Endpoints then permit access

That device will no longer be able to click on don’t have an account. Still doesn’t restrict then from signing up from another device if they have one.

Otherwise you would need to do some advanced scripting work and have a go between to control this. This would be complex from what I can envision.

View solution in original post

3 REPLIES 3

Jason Kunst
Cisco Employee
Cisco Employee

Not natively, please get this info to our ISE Product Management team to add to the product feature request

You could limit them using device registration.

When they first come in they are redirected to guest portal.

After they go through the flow their MAC address is put into the Guest Endpoint group and then you base authorization off this flow.

If Guest Endpoints then permit access

That device will no longer be able to click on don’t have an account. Still doesn’t restrict then from signing up from another device if they have one.

Otherwise you would need to do some advanced scripting work and have a go between to control this. This would be complex from what I can envision.

What policy do we need to configure here. Can you share the snapshot of the policy in any.

Also can we restrict the device for 24hrs. Post that he should be able to generate new username and password.

If wireless_mab and guestendpoint group then permit access

If wireless_mab then redirect to guest portal

You will need to set your endpoint purge policy for guestendpoints equal to 0 days so they clear out every morning (keep in mind this is globally at the time set per the system MNT timezone)

if you’re using a worldwide system you will need to write a script to clear the endpoints out

similar info here

https://communities.cisco.com/thread/79413?start=0&tstart=0

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: