Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1817
Views
0
Helpful
5
Replies

Wireless guest clients. Endpoint MAC not removed

Go to solution
Antonio Macia
Level 3
Level 3

‎04-03-2017 01:53 AM - edited ‎03-11-2019 12:36 AM

Hello,

After a sponsor suspends a guest wireless account, the endpoint continues accessing the network. Looking at the live authentication logs, the authentication is performed using the endpoint MAC address.  When this MAC is removed from the internal identity store? After two days without any client attempt, the client can successfully authenticate the device. Shouldn't the MAC be removed automatically when the account is suspended by the sponsor?

I'm running ISE 2.2 with a vWLC running 8.0.140 software version. Here is the output from the live session authentication:

11001Received RADIUS Access-Request
11017RADIUS created a new session
11027Detected Host Lookup UseCase (Service-Type = Call Check (10))
15049Evaluating Policy Group
15008Evaluating Service Selection Policy
15048Queried PIP - Normalised Radius.RadiusFlowType
15004Matched rule - MAB
15041Evaluating Identity Policy
15006Matched Default Rule
15013Selected Identity Source - Internal Endpoints
24209Looking up Endpoint in Internal Endpoints IDStore - 00:24:D6:51:19:74
24211Found Endpoint in Internal Endpoints IDStore
22037Authentication Passed
15036Evaluating Authorization Policy
15048Queried PIP - EndPoints.LogicalProfile
15048Queried PIP - Network Access.AuthenticationStatus
15004Matched rule - Basic_Authenticated_Access
15016Selected Authorization Profile - PermitAccess
11002Returned RADIUS Access-Accept

On the other hand, I've configure the Guest Type to add all the guest endpoints within the "GuestEndpoints" group, however the device is added into the "Workstation" group, why this behavior?

Thanks.

Regards.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎04-03-2017 04:54 AM

Every MAC address that the ISE learns about is saved in the Internal Endpoints identity group. If you are using GuestEndpoints to save the MAC address of the Guest after they log in, you should use that condition in your Authorization policy.

Another thing to note is that the Guest Endpoint purges its MAC address database only after 90 days with a default setting. From my experience, deleting a user does not delete the MAC address from that database (while I think it should). To completely remove a guest, you would have to delete Guest account and also the mac address from the GuestEndpoint group. You can try keeping a lower GuestEndpoint purge policy, but this will affect any valid user - requiring them to login to the portal.

Also, your Workstation endpoint group is based on your profiling policies. Any device profiled as Workstation is placed under that group so that you can use that as a condition if needed. You should also see it in your GuestEndpoints if you portal page is configured correctly.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎04-03-2017 04:54 AM

Every MAC address that the ISE learns about is saved in the Internal Endpoints identity group. If you are using GuestEndpoints to save the MAC address of the Guest after they log in, you should use that condition in your Authorization policy.

Another thing to note is that the Guest Endpoint purges its MAC address database only after 90 days with a default setting. From my experience, deleting a user does not delete the MAC address from that database (while I think it should). To completely remove a guest, you would have to delete Guest account and also the mac address from the GuestEndpoint group. You can try keeping a lower GuestEndpoint purge policy, but this will affect any valid user - requiring them to login to the portal.

Also, your Workstation endpoint group is based on your profiling policies. Any device profiled as Workstation is placed under that group so that you can use that as a condition if needed. You should also see it in your GuestEndpoints if you portal page is configured correctly.

0 Helpful

Go to solution
Antonio Macia
Level 3
Level 3
In response to Rahul Govindan

‎04-03-2017 05:44 AM

Thanks for the quick answer Rahul,

After reading the "Wireless Guest Set Up How To" from Thomas Howard I realized that this is a normal behavior when using authorization based on endpoints.

Since I want to block the guest access as soon as the account expires or the sponsor removes/suspends the account, I'm now trying to set up authorization based on the Guest Type following the document instructions and using the Guest Types as conditions in the authorization rules, however, although the users are in the "Guest Type_Daily (default)" group, during the user authorization the lookup does not match in that rule. My rule is as follow:

I double checked and the guest account is in the Daily group. What I'm missing?

Thanks!!

0 Helpful

Go to solution
Antonio Macia
Level 3
Level 3
In response to Antonio Macia

‎04-03-2017 06:30 AM

Solved! The authentication based on guest type is working. I had an issue with the dACLs.

0 Helpful

Go to solution
ml12129
Level 1
Level 1
In response to Antonio Macia

‎04-16-2017 12:10 AM

I have met the same situation as you are, so I have to add the guest flow in my  condition ?

0 Helpful

Go to solution
Antonio Macia
Level 3
Level 3
In response to ml12129

‎04-18-2017 05:54 AM

My authorization rule now includes the Guest groups together with the Guest Flow. In this way, although the endpoint exists in the database, if the user has expired, the guest cannot longer access the network. 

Let me know if it helps.

Regards.

0 Helpful
Customers Also Viewed These Support Documents