cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
856
Views
0
Helpful
4
Replies

Sessions Timeout - Quota Policy Enforcement

gugonza2
Cisco Employee
Cisco Employee

A customer wants to know if we can configure a WLAN environments with different sessions timeout per user.

A WLAN environment where some users could enter with restricted time, such as Public WLAN where some users are registered with some session timeout and some guest are restricted to specific session timeout (10 or 15 min).

 

 

- Is is possible to configure session timeouts per users (AAA override, ISE or WLC) ?

- Can ISE send a CoA to kill a user session and force reathentication ?

 

Any suggestion ?

 

Thanks in advance.

 

Guillermo.

1 Accepted Solution

Accepted Solutions

Jason Kunst
Cisco Employee
Cisco Employee
Yes using radius AVP session timeout you can disconnect a bucket of users to specific timeout values

Doing this on specific usernames wouldn’t be recommended as this would be difficult to manage

For guests you would likely utilize setting specific users or guest types when creating their accounts to expire after certain periods

Examples using google search
https://www.google.com/search?q=ise%20radius%20timeout

There is no tool in ise as quota management per says but you can also return values in radius of QOS TOS for Cisco wireless controllers


https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/81831-qos-wlc-lap.html

View solution in original post

4 Replies 4

Jason Kunst
Cisco Employee
Cisco Employee
Yes using radius AVP session timeout you can disconnect a bucket of users to specific timeout values

Doing this on specific usernames wouldn’t be recommended as this would be difficult to manage

For guests you would likely utilize setting specific users or guest types when creating their accounts to expire after certain periods

Examples using google search
https://www.google.com/search?q=ise%20radius%20timeout

There is no tool in ise as quota management per says but you can also return values in radius of QOS TOS for Cisco wireless controllers


https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/81831-qos-wlc-lap.html

Thanks a lot Jason for your answer,

 

The question about "Quota Policy Enforcement" is because, in case of need, can the ISE (RADIUS) send a CoA to de-auth a user and force a re-authentication?

As I understood is not possible, but I heard that in SEVT was presented the feature "Quote Policy Enforcement" where, through CoA, RADIUS can change end user devices behavior based on prepaid external billing services, and I guess the same could be applied to timeouts.

 

Any comment ?

 

Yes ise can send terminate or reauth

Thanks Jason,  is there any document with a configuration example for that ?