05-13-2013 04:03 AM - edited 03-10-2019 08:25 PM
I have installed and configured ISE 1.1.4 with cumulative on Virtual Machine and configured a WLC 2500 sw ver 7.3.101.0 according to the design guide
http://www.cisco.com/en/US/products/ps11640/products_implementation_design_guides_list.html
For guest wireless access I've configured on the WLC an open WLAN with mac filtering, AAA override and Radius Nac enabled, and configured CWA on ISE. On this WLAN captive portal works well, the creation of guest accounts is ok both through sel-service o by sponsor and expiration of guest accounts works well too.
what does'nt work is the management of guest accounts in terms of suspend and/or blacklist and/or delete an active guest account (active is intended for an authenticated guest, with active session) before its expiration.
in other words, in the performed tests, I found that:
- when a guest account is created (by self-service or sponsor portal) and the guest exceeds the maximum number of authentication attempts so that his accounts is suspended, or the sponsor creates this account and marks it as suspended before guest authentication, the suspension works well, so that when attemptingto autheticate again, the captive portal correctly reports the guest to contact the administrator since his account is suspended and the authentication is unsuccessful. after re-activation of the user account from the sponsor portal, the guest is then able to authenticate with that account and to access Internet (according to the configured authorization policy).
But if, for any reason, the administrator wants to re-suspend or eliminate this account before its expiration, from the console of sponsor portal he can do it, but this information is not passed to WLC, for ehich the client remains in an authorized state untill the expiration of the account. the guest (with suspended or deleted account!!) continues to navigate without captive-portal appears again in the browser, even if he disconnects and reconnects to the open guest WLA. I must delete the client from the WLC cache in order to let captive-portal reappear on the client browser.
this problem is strongly felt by the customer who wants to act on guests that behave "badly".
thanks for your support
regards
Solved! Go to Solution.
05-13-2013 04:38 AM
Your problem/symptoms is matching the below listed defect.
CSCuc82135 Guests need to be removed from the network on Suspend/Delete/Expiration
Symptom:
When a guest user is deleted from system, the radius sessions associated with that guest users still exist.
Conditions:
When the guest user is deleted or suspended from the system
Workaround:
To re-issue the CoA from MNT reports for the sessions associated with that guest user.
Jatin Katyal
- Do rate helpful posts -
05-13-2013 04:38 AM
Your problem/symptoms is matching the below listed defect.
CSCuc82135 Guests need to be removed from the network on Suspend/Delete/Expiration
Symptom:
When a guest user is deleted from system, the radius sessions associated with that guest users still exist.
Conditions:
When the guest user is deleted or suspended from the system
Workaround:
To re-issue the CoA from MNT reports for the sessions associated with that guest user.
Jatin Katyal
- Do rate helpful posts -
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide