cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
906
Views
10
Helpful
1
Replies

unable to suspend or delete a guest session before account expiration

Luisa Lavano
Level 1
Level 1

  I have installed and configured ISE 1.1.4 with cumulative on Virtual Machine and configured a WLC 2500 sw ver 7.3.101.0 according to the design guide

http://www.cisco.com/en/US/products/ps11640/products_implementation_design_guides_list.html

For guest wireless access I've configured on the WLC an open WLAN with mac filtering, AAA override and Radius Nac enabled, and configured CWA on ISE. On this WLAN captive portal works well, the creation of guest accounts is ok both through sel-service o by sponsor and expiration of guest accounts works well too.

what does'nt work is the management of guest accounts in terms of suspend and/or blacklist and/or delete an active guest account (active is intended for an authenticated guest, with active session) before its expiration.

in other words, in the performed tests, I found that:

- when a guest account is created (by self-service or sponsor portal) and the guest exceeds the maximum number of authentication attempts so that his accounts is suspended, or the sponsor creates this account and marks it as suspended before guest authentication, the suspension works well, so that when attemptingto autheticate again, the captive portal correctly reports the guest to contact the administrator since his account is suspended and the authentication is unsuccessful. after re-activation of the user account from the sponsor portal, the guest is then able to authenticate with that account and to access Internet (according to the configured authorization policy).

But if, for any reason, the administrator wants to re-suspend or eliminate this account before its expiration, from the console of sponsor portal he can do it, but this information is not passed to WLC, for ehich the client remains in an authorized state untill the expiration of the account. the guest (with suspended or deleted account!!) continues to navigate without captive-portal appears again in the browser, even if he disconnects and reconnects to the open guest WLA. I must delete the client from the WLC cache in order to let captive-portal reappear on the client browser.

this problem is strongly felt by the customer who wants to act on guests that behave  "badly".

thanks for your support

regards

1 Accepted Solution

Accepted Solutions

Jatin Katyal
Cisco Employee
Cisco Employee

Your problem/symptoms is matching the below listed defect.

CSCuc82135    Guests need to be removed from the network on Suspend/Delete/Expiration

Symptom:

When a guest user is deleted from system, the radius sessions associated with that guest users still exist.

Conditions:

When the guest user is deleted or suspended from the system

Workaround:

To re-issue the CoA from MNT reports for the sessions associated with that guest user.

Jatin Katyal


- Do rate helpful posts -

~Jatin

View solution in original post

1 Reply 1

Jatin Katyal
Cisco Employee
Cisco Employee

Your problem/symptoms is matching the below listed defect.

CSCuc82135    Guests need to be removed from the network on Suspend/Delete/Expiration

Symptom:

When a guest user is deleted from system, the radius sessions associated with that guest users still exist.

Conditions:

When the guest user is deleted or suspended from the system

Workaround:

To re-issue the CoA from MNT reports for the sessions associated with that guest user.

Jatin Katyal


- Do rate helpful posts -

~Jatin