Solved: Re: Time-based Radius CoA dynamic trigger

pwlau · ‎11-28-2017

Hi,

How do I achieve the below use cases with ISE and Wireless?

Only allow access to the network from 9am – 6pm, and disconnect any “active” clients after 6pm?
Assign a Radius av-pair AIrespace-QoS-Level to clients who authenticate from 9am-6pm, but assigned a new av-pair AIrespace-QoS-Level to any “active” client after 6pm?

Can both use-cases be achieved via RADIUS CoA triggered based on time of day?

Is there such way to configure this without resorting to using Python scripts for API calls?

Clearpass seem to be able to do this by changing the user-role of active connected clients at certain time of day, with CoA.

Regards,

Steven

Jason Kunst · ‎11-29-2017

You could have different rules for different timers

If you access in the morning you could set a 4 hr timer, 2 hour after noon perhaps and as gets closer reduce to 1 hr and then 30 min if absolutely critical

The client shouldn’t see reauths as they are very quick and don’t drop traffic

If you have lots of clients it maybe a lot of load on the system (make sure you are suppressing client authentications (default setting on ISE since 2.0)

As stated before there is no automated feature, please reach out to the ISE-pm team through sales channel for feature requests

View solution in original post

ognyan.totev · ‎11-28-2017

I think you need Time and Date conditions but i never tested .

pwlau · ‎11-29-2017

Hi,

Time and Condition on Authorization Profile will be enforced for new connections/clients and not existing clients.

If the existing client is still connected to the network, the only way to assign a new Authorization Profile to them is via Change of Authorization, to force re-authentication.

However, I couldn't figure out how to trigger this event, without using a API call script.

ognyan.totev · ‎11-29-2017

I think you can set timers for re-authentications In authorization profiles. I think this will trigger the COA.And if match with new rule it will be applied.

pwlau · ‎11-29-2017

Is there a way to set this Re-authentication timer to reauthenticate clients at 6pm?

This is because different clients might join the network at different time of day within the 9am-6pm window.
It'll be a challenge to figure out the exact timer for the action.

Jason Kunst · ‎11-29-2017

No, would recommend setting reauth timer for 30 min perhaps so they get reauth close to the 6pm mark but not going to be exact

Or look at shutting wlan at a certain time via prime

pwlau · ‎11-29-2017

Shutting wlan off will not address the 2nd use case.

Which is to reassign a new qos profile to the active user after office hours, so the user will enjoy an elevated bandwidth contract privilege.

Wouldn't setting reauth timer to 30 mins interval impacts user experience?

Are there no way to auto push CoA to connected clients based on time of day?

Thanks.

Jason Kunst · ‎11-29-2017

You could have different rules for different timers

If you access in the morning you could set a 4 hr timer, 2 hour after noon perhaps and as gets closer reduce to 1 hr and then 30 min if absolutely critical

The client shouldn’t see reauths as they are very quick and don’t drop traffic

If you have lots of clients it maybe a lot of load on the system (make sure you are suppressing client authentications (default setting on ISE since 2.0)

As stated before there is no automated feature, please reach out to the ISE-pm team through sales channel for feature requests