Hello Jason,

Thank  you for your answer - yes, I understood that there are no workarounds for us here

>>How about an external registration portal to manage it via API this way you're able to control and track the username as the phone number if the user has expired but they should still have access because they are valid patrons of the hotel then the system can decide that logic and reinstate the account

[Amir] Well, our case is a large venue (exposition complex), so it is close to a stadium/event type of thing. Although Guest API is a possible solution, Customer wanted so much to keep things local on ISE ("you have portal on ISE anyway, don't you?) and also reinstating the account will mean extending it for another period of validity which defeats the whole purpose of providing 1,2 or 3-day access.

>>I'm not really sure how you're managing who's able to register or not

[Amit] Well, just any user with a valid cell phone #- that is the way authorities track the user identity.

>>Ability for user to reinstate themselves via self-reg portal? may need to tie into some sortof external data base via ODBC or LDAP To look up if a person is still a valid patron as well

Ability to only allow registration via a cell number 1 time in x hours perhaps

[Amir] In a typical event/stadium/etc environment a possibility to reinstate the account is a possible option indeed. In our case we do not care too much if person will get "lengthier" access as long as he is authenticated via his cell phone.

With this we could avoid collision. Another thing is to somehow rework internal logic and provide a tickbox (per guest user type) to purge user immediately after expiry, but I bet that might not be possible on platform due to some hidden DB/logic-related limitations.

I could not find a way to programmatically purge Guest User Database - I guess that is not possible and moreover, is not really possible to do it frequently (otherwise why do we do this at 3 am)?

Thank you, as always.

Regards, Amir

Seems to me why not just create accounts that are good for longer than the user needs them? Then they would be purged at later date?

Otherwise you're trying to do too much work?

It seems like they are free accounts so what is the problem if the accounts last longer so you don't have collisions?

Also have you looked at CMX or EMSP products? They might already do what you need.

Let me think about the other line items here

Other products won't work as we're given ISE and requirement to create Guest Portal so this is something outside of my control .

I've probably confused everyone, apologies - this is NOT a hotel, that was just an analogy. This is a WiFi service at exhibition center.

Correct, this is a free service - my concerns with longer account duration are:

1) Maximum amount of Guest Users in the DB (I remember something like 1,5M ?) which we can hit if we create users for the duration of the event and won't purge them. I could end up creating users which are lasting for 90+ days and forget about that issue but scalability will be an issue then.

2) If I make duration of the Guest User account smaller than event itself  but still longer than a typical use-case (visitor coming maybe once or twice within 1 week) then we can hit an issue with visitor coming several times outside of the period and he will still hit this corner-case scenario with expired user (that is possible).

I think Paul has given a very good idea in the answer below - we may end up with 1-day accounts and purge them daily, I will need to test this though.

Amir,

Let me ask you a question on the exact requirements of the customer. The fact that this is an open SSID it sounds like they are basically saying “Anyone within Wi-Fi range with a valid cell phone number can get on and potentially register multiple devices.”. There is no verification that the cell phone is registered to a user at the conference. It could be someone just wanting free Wi-Fi.

Do they have a requirement that the user accept an AUP?

If there is no AUP then why not just do a PSK that is given out during registration? Then shut down the SSID at night when the convention is not on.

If they require AUP, in the newest WLC code you can do PSK with AUP as well.

These are discussion I usually have with customers. Just curious.

Hopefully my previous suggestion works. I would be interested to see how your testing goes.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

Hello Paul,

First of all, thanks for all your suggestions.

So, the important thing with SMS is that authorities mandate ALL accounts to be tied to a mobile number - that is, password should arrive via SMS and that is a method to actually track WiFi user (another option will be sponsored access which by definition tracks the identity of the user). We cannot just have AUP - that would be much-much-much simpler in that case of course), same answer for PSK.

I will update the thread after the testing.

Amir

Sounds good ultimately wondering what type of solution we could offer in box if any

please when you're done let's work offline through email

Hello All,

So, reporting on the progress so community could benefit from it (and contribute ).

1. Idea from ISE Guest Self-Registration phone number as the username does not work well for us as it seems that behavior has been changed. Previously, as described in the article above, you could base the authorization rule off the endpoint group (EP) and purge EP group later. However, in 2.1p3 endpoint is immediately removed from EP once associated username expires (we do not wait until purge time comes), so user cannot access network anymore from previously registered MAC.

So, unique username combination + authorization rule based on EP does not work in 2.1p2 (at least for us).

2. I've written an ISE ERS API script which a) retrieves users of a particular Guest Type b) parses the list and composes XML c) sends XML in a bulk deletion request towards ISE to delete users.

This script has been installed as a cron job in a separate Linux server and runs at ~2am. I've also written a script to bulk create users (to test deletion script) - so, with 10K users on a portal it takes about 35 mins to delete them (via bulk job, a batch of 4500 users). So need to account for it - 30K will be deleted in roughly  2 hours, then endpoint purge will happen, than EP purge, then backup and ideally I do not want all these to overlap as ISE is s sensitive beast (I think ).

We are about to test how scripted workaround works, I am expecting the following caveats:

- we may hit CSCvd16176 so I need to test;

- I still do not know how to deal with PAN failover - if that happens, script (which is tied to primary PAN IP) will not work and next morning we will have a nightmare

Ah and yes, suspension was not marking users for purging to had to use delete operation directly.

Will report results later.

Amir

I haven't tried this before but was just playing around with this.  The multiple devices per username should work.  I am testing on 2.2 and I only used the java script on the self-registration portal. 

So the user comes into the standard self-registration and has the option to enter the username/password or click the "Don't have an Account?" link.  I modified the username text to say "Phone Number" on the customization.

User clicks on the "Don't have an Account?" link and goes to self registration.  I have removed all fields except username and phone number.  The java script hides the username.  User types in their phone number and clicks Register.  The user ID with their phone number is generated and credentials texted to them. 

As part of the success message or text you can let the user know that the username/password can be used to register up to 3 devices.

Now they click sign-in and use their information that was texted to them.  The portal is tied to a guest type that allows 3 registered devices.  I set the expiry time for the user credentials to 8 hours after creation..

As you said this is a convention.  I shouldn't need to handle people registering at all hours of the night.  Let's say I want to accommodate someone registering up to 8:00 p.m.  That means the guest user would expire at 4:00 a.m and configure my guest purge job to run at 4:30 a.m.  I configure my endpoint purge to run at 5:00 a.m. 

So after the endpoint purge runs at 5 everything is ready for the new day.

I haven't fully tested this, but wouldn't that work.  I know in a hotel scenario where guests are registering 24/7 this wouldn't work but for a convention scenario it should work.