Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1482
Views
5
Helpful
2
Replies

Short duration guest accounts

Go to solution
Simon94995
Level 1
Level 1

‎05-21-2020 04:36 AM

Hi experts,

 

I have been looking at implement ISE guest wireless with short account life times, ideally 2 hours, based on self-registered portal.

 

To achieve this, I would need to use NetworkAccess:Usecase GuestFlow in the authorization rules for such short time periods, because when using GuestEndpoints identity group and relaying on endpoint purge, the purge job would only run once a day at night, which means the endpoint would stay in the GuestEndpoints for the whole day and the guest endpoint would have Internet access for much longer than two hours.

Just wanted to check if this logic is correct and if there is maybe another way how to achieve this with GuestEndpoints identity group? (which provides better user experience, as users don't need to log on to the network more than once).

 

Thank you

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10

‎05-21-2020 07:25 AM

You don't rely solely on the identity group in your rules for this and you don't need the guest flow condition at all for guest setups.  You have a couple things you need to do to make this work:

 

  1. On the WLAN definition on the wireless controller you need to set your session timeout to 2 hours.  So all guests will get kicked off and have to reauthenticate.  Optionally if you don't want to set this for all guests you could set a reauthentication timer for the short term guest result in ISE.
  2. Craft your rules for guest policy set in ISE to look something like this:
    1. If MAC address is in identity group long term guest allow Internet access.
    2. If MAC Address is in identity group short term guest and AUP acceptance is less than 2 hours ago allow Internet access.  In this authorization profile you could set the 2 hour session timeout.
    3. Redirect to guest portl
  3. Make sure your guest portal has AUP acceptance enabled for every login not just on first login.

 

View solution in original post

2 Replies 2

Go to solution
paul
Level 10
Level 10

‎05-21-2020 07:25 AM

You don't rely solely on the identity group in your rules for this and you don't need the guest flow condition at all for guest setups.  You have a couple things you need to do to make this work:

 

  1. On the WLAN definition on the wireless controller you need to set your session timeout to 2 hours.  So all guests will get kicked off and have to reauthenticate.  Optionally if you don't want to set this for all guests you could set a reauthentication timer for the short term guest result in ISE.
  2. Craft your rules for guest policy set in ISE to look something like this:
    1. If MAC address is in identity group long term guest allow Internet access.
    2. If MAC Address is in identity group short term guest and AUP acceptance is less than 2 hours ago allow Internet access.  In this authorization profile you could set the 2 hour session timeout.
    3. Redirect to guest portl
  3. Make sure your guest portal has AUP acceptance enabled for every login not just on first login.

 

Go to solution
Simon94995
Level 1
Level 1
In response to paul

‎05-22-2020 05:31 AM

Thanks very much for the suggestion, this worked nicely.

 

It would be great if there was an option just to purge the associated guest endpoint from GuestEndpoints group automatically when the self-registered guest account expires.

0 Helpful
Customers Also Viewed These Support Documents