Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2578
Views
16
Helpful
10
Replies

Purge guest enpoints based on guest user expiration

Go to solution
Dominic Stalder (old profile)
Level 4
Level 4

‎01-19-2017 04:46 AM

Hi guys

I think there is no native Cisco ISE way to check, if the guest user or portal user for a specific endpoint is expired and if so, purge this endpoint the next time purging is running, correct?

- At the moment, we create a guest user with a lifetime of 30 days and save the mac address into the endpoint group Guest_Endpoints

- After 30 days the guest user will expire, but we will not purge any guest users at all (we want to have them all in the database "forever", because we use an index which will be incremented while self registration, some thing like guest-0001)

- Under Endpoint Purge settings we purge everyday and configured the endpoint group Guest_Endpoints to be purged, if ENDPOINTPURGE ElapsedDays GREATERTHAN 30 Days

1. First of all, is our configuration correct, so that after the endpoint gets saved into the endpoint group Guest_Endpoints it will be purged during the night and the next day, it will be redirecte to the guest portal again?

2. I know there is a way to check if an endpoint has an portal user (saw something like this in a presentation by @Jason Kunst: guest-restrict1hrday.pptx) inside the policy sets (authorization). But is there also a way to check if the sponsor user is expired or not, so we can decide if the endpoint needs to be redirected to the guest portal again or if it has access straight away?

It would also be great, if you can specify this check under Endpoint Purge settings, let's say "purge all endpoints in endpoint Group Guest_Endpoints if their sponsor user is expired"!

Thanks in advance and best regards

Dominic

1 person had this problem
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎01-19-2017 07:45 AM

  1. 1. First of all, is our configuration correct, so that after the endpoint gets saved into the endpoint group Guest_Endpoints it will be purged during the night and the next day, it will be redirecte to the guest portal again?
    • Yes this is common config. 2 basic rules
    • If Mab and Guest_endpoints then permit access
    • If MAB then send to redirect authz profile


  1. 2. I know there is a way to check if an endpoint has an portal user (saw something like this in a presentation by @Jason Kunst: guest-restrict1hrday.pptx) inside the policy sets (authorization). But is there also a way to check if the sponsor user is expired or not, so we can decide if the endpoint needs to be redirected to the guest portal again or if it has access straight away?

Wouldn’t this do it for you?

  •   If Mab and Guest_endpoints AND portal user ID is NOT NULL (per the presentation) then permit access
  • If MAB then send to redirect authz profile

It would also be great, if you can specify this check under Endpoint Purge settings, let's say "purge all endpoints in endpoint Group Guest_Endpoints if their sponsor user is expired"!

I don't see that as an option either, open an enhancement with the TAC, also get me your product feature request offline so I can get to the PM

View solution in original post

10 Replies 10

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎01-19-2017 07:45 AM

  1. 1. First of all, is our configuration correct, so that after the endpoint gets saved into the endpoint group Guest_Endpoints it will be purged during the night and the next day, it will be redirecte to the guest portal again?
    • Yes this is common config. 2 basic rules
    • If Mab and Guest_endpoints then permit access
    • If MAB then send to redirect authz profile


  1. 2. I know there is a way to check if an endpoint has an portal user (saw something like this in a presentation by @Jason Kunst: guest-restrict1hrday.pptx) inside the policy sets (authorization). But is there also a way to check if the sponsor user is expired or not, so we can decide if the endpoint needs to be redirected to the guest portal again or if it has access straight away?

Wouldn’t this do it for you?

  •   If Mab and Guest_endpoints AND portal user ID is NOT NULL (per the presentation) then permit access
  • If MAB then send to redirect authz profile

It would also be great, if you can specify this check under Endpoint Purge settings, let's say "purge all endpoints in endpoint Group Guest_Endpoints if their sponsor user is expired"!

I don't see that as an option either, open an enhancement with the TAC, also get me your product feature request offline so I can get to the PM

Go to solution
Dominic Stalder (old profile)
Level 4
Level 4
In response to Jason Kunst

‎01-19-2017 11:07 PM

Hi Jason

1. Thanks for confirmation, I have the authorization policy configured like this:

Bildschirmfoto 2017-01-20 um 08.00.01.png

By the way, I use the condition Network Access:ISE Host Name EQUALS ise01 and Network Access:ISE Host Name EQUALS ise02 to have a fallback to the portal on ise02 in case of a failure on ise01, is that a good way to accomplish that if you don't have a load balancer?

Redirect public1 redirects the user to the URL public1.customer.ch pointing to the portal on ise01

Redirect public2 redirects the user to the URL public2.customer.ch pointing to the portal on ise02

2. It would, IF we would purge the guest users as soon as they expire, but because we don't purge any guest users, we will always have a portal user attribute. Here it would be necessary to have the possibility to check the expired status of this portal user, or am I wrong?

Concerning the product feature request, can you send me your email address offline, mine is dstalder@itris.ch.

Thanks and best regards

Dominic

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Dominic Stalder (old profile)

‎01-20-2017 07:54 AM

JAK - the authz policy is fine but i like to have Wireless_MAB in every line

By the way, I use the condition Network Access:ISE Host Name EQUALS ise01 and Network Access:ISE Host Name EQUALS ise02 to have a fallback to the portal on ise02 in case of a failure on ise01, is that a good way to accomplish that if you don't have a load balancer?

Redirect public1 redirects the user to the URL public1.customer.ch pointing to the portal on ise01

Redirect public2 redirects the user to the URL public2.customer.ch pointing to the portal on ise02

JAK - ISE will redirect to the correct portal on its own depending on which the PSN RADIUS Request comes in on. Static redirection is only used in specific use case needs. Do you have a special need?

2. It would, IF we would purge the guest users as soon as they expire, but because we don't purge any guest users, we will always have a portal user attribute. Here it would be necessary to have the possibility to check the expired status of this portal user, or am I wrong?

JAK - the portal user id is attached to the endpoint, when the account expires its removed from the endpoint and won't be matched this is explained in that powerpoint you found. let me know if future questions

Concerning the product feature request, can you send me your email address offline, mine is dstalder@itris.ch.

JAK - can you please send your use case through your account team to get to our Product Managers

Go to solution
Dominic Stalder (old profile)
Level 4
Level 4
In response to Jason Kunst

‎01-20-2017 01:42 PM

JAK - the authz policy is fine but i like to have Wireless_MAB in every line

Thanks, already changed the first line to Guest_Endpoints and Wireless_MAB.

JAK - ISE will redirect to the correct portal on its own depending on which the PSN RADIUS Request comes in on. Static redirection is only used in specific use case needs. Do you have a special need?

Our authorization policies are based on a Static IP / Hostname / FQDN CWA redirect:

Bildschirmfoto 2017-01-20 um 22.36.06.png

If I would like to have a redundancy behind public1.xxx.ch, I would need to configure two A-Records for this FQDN (A-Record for ise01 and A-Record for ise02). Correct? But then the client would take ise01 and ise02 by coincidence, or am I wrong? Or how do you setup this kind of redundancy?

JAK - the portal user id is attached to the endpoint, when the account expires its removed from the endpoint and won't be matched this is explained in that powerpoint you found. let me know if future questions

OK, sorry, didn't see this fact. Will try it!

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Dominic Stalder (old profile)

‎01-20-2017 01:49 PM

Does this help

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/117620-configure-ISE-00.html

if not

Can you bring up the redundancy on another thread? Its not relevant to the purging

Go to solution
Dominic Stalder (old profile)
Level 4
Level 4
In response to Jason Kunst

‎01-21-2017 01:37 AM

Hey Jason

thanks, never saw this document before, but it describes exactly the way I configured the static redundancy too:

Bildschirmfoto 2017-01-21 um 10.36.00.png

So I was just "lucky" with my configuration :-)

Have a nice weekend

0 Helpful

Go to solution
alex.fritzsche
Level 4
Level 4
In response to Jason Kunst

‎12-01-2017 07:04 AM

Does this:

If Mab and Guest_endpoints AND portal user ID is NOT NULL then permit access

still work?

We have this Problem too and we only see the dictionary condition "Endpoints:PortalUser" and then can not match for an ID.

Anyway after a guest account expires, and is not deleted, the associated Endpoints are not purged until the Guest-Account is deleted, plus the Endpoint still has the Guest-Username associated as "PortalUser" under Attributes, and not NULL or similar.

Thanks in advance for any reply.

Alex

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to alex.fritzsche

‎12-01-2017 07:15 AM

Please open a case with the technical assistance center and get associated to a defect

If the behavior has changed then it’s a defect and we need to come up with a new approach if possible

Please also state the associated flow and behavior you would like to see happen

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎12-14-2017 12:35 PM

please let me know the defect as well so i can escalate

0 Helpful

Go to solution
marco.merlo
Level 1
Level 1
In response to alex.fritzsche

‎05-04-2018 03:09 AM

Hi Alex,

your hint about using PortalUserID endpoint attribute in the MAB authorization policy worked for ME

Regards

MM

0 Helpful
Customers Also Viewed These Support Documents