08-27-2016 03:16 AM - edited 03-11-2019 12:02 AM
Hey Guys,
I am searching to find a way to limit the life of guest accounts in ISE 2.0. But it seems it is worthless try! Please give me some guide if it is possible to do.
Regards,
Mahdi
08-27-2016 09:00 AM
Mahdi,
When an active or suspended guest account reaches the end of its account duration (as defined by the sponsor when creating the account), the account expires.
You can set the default guest type (i.e., daily, weekly etc.) for both sponsored or self-registered guests. This is done in the Guest portal settings.
08-27-2016 04:57 PM
Marvin,
Thank you for your reply.
Does it means that the only way to have a guest account which is active in a short period of time, is to create that user account using an sponsor ?
To make it happen, which steps do I need to pass on WLC and ISE.
Regards,
Mahdi
08-28-2016 07:38 AM
You can allow sponsors to select the time period for which a given guest account is active.
If the guest is self-registered, you can choose what "guest type" endpoint group the portal assigns the self-registered account into.
See this link for how guest types are customized:
http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_01110.html#task_007858F446DB460282E8693040F3236A
We use Central Web Authentication with ISE and WLC so the WLC settings aren't specific to this use case but rather general to all ISE uses.There are numerous how-to guides which can be found among others here:
https://communities.cisco.com/docs/DOC-64018
I would especially recommend the links on that page for "Special Flows". There are a couple of examples on how to restrict account duration for guests.
09-04-2016 12:05 AM
Thank you for your reply!
What I actually try to find is starting user lifetime decrease after guest user login (not after creation by sponsor user).
What we have now is a guest user connects to WLC, then sees the sponsored guest portal, then he/she can login using accounts that sponsored created.
Best Regards,
Mahdi
09-04-2016 06:22 AM
ISE 2.1 added the ability to make the account duration begin as of first login:
Release Notes for Cisco Identity Services Engine, Release 2.1 - Cisco
Once you upgrade, that should do what you're asking.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: