02-06-2020 12:05 PM
Hi,
I want the following requirements can anybody tell me how it is possible with ISE 2.6 or 2.4. (Wireless)
* After user get the certificate via BYOD process and after 1-2 Years the certificate is about to expire I want the user to be notified that your certificate is about to expire.
* Right before 10 days of expiry I want the user to be forced to reissue the certificate.
Can anyone share me policy set and additional configuration for this Is it possible with ISE?
Please reply.
Solved! Go to Solution.
02-06-2020 03:06 PM
ISE does not have the ability to pop-up a banner for the client without using a portal redirect flow. If you were to use a portal redirect, the user would be subject to the limited access provided by the redirect ACL. You can redirect to a custom portal page (hosted on ISE) or one hosted on an external server but, if the redirect is not part of an established and supported portal flow (Guest, BYOD, Posture, etc) it would essentially become a dead-end session and ISE would not be able to issue a CoA to change the AuthZ state. The user would have to disconnect/reconnect for ISE to have control of the session again and you would likely run into the same issue in a loop.
02-06-2020 01:42 PM
You can use the CERTIFICATE:Days to Expiry matching condition in your AuthZ Policy to redirect the user back through registration flow to enrol a new certificate. I would suggest, however, using a time range greater than 10 days (more like 30) to mitigate issues with BYOD users being away from the office on holiday or other reasons.
Example:
Cheers,
Greg
02-06-2020 02:48 PM
This is what I come up with attached policy (365 is put there to hit the policy forcefully for testing :).
User will be authenticated with peap then TLS will be used and granted permit access but if the certificate is about to expire then it will redirect to a central authentication guest portal and force user to renew the certificate.
But is there a way to put a banner page alone without authentication?
Like user certificate is going to expire in 30 days user should start seeing a message" your certificate needs to be renewed" but the user will still be able to use the internet.
After 15 days a user must be forced to renew which is already happening with my current policy but I need a way to add a warning saying your certificate is about to expire.
02-06-2020 03:06 PM
ISE does not have the ability to pop-up a banner for the client without using a portal redirect flow. If you were to use a portal redirect, the user would be subject to the limited access provided by the redirect ACL. You can redirect to a custom portal page (hosted on ISE) or one hosted on an external server but, if the redirect is not part of an established and supported portal flow (Guest, BYOD, Posture, etc) it would essentially become a dead-end session and ISE would not be able to issue a CoA to change the AuthZ state. The user would have to disconnect/reconnect for ISE to have control of the session again and you would likely run into the same issue in a loop.
02-10-2020 09:37 AM
That is where I am stuck on because it is a Dead end cannot give permit access to the user.
Thanks for confirming it is not possible.
Have a nice Day.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide