Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
528
Views
1
Helpful
2
Replies

guess users session timeout

117222400
Level 1
Level 1

‎10-21-2024 05:36 PM - edited ‎10-21-2024 05:54 PM

Hi Expert,

We use WLC9800 and ISE for our Staff WiFi:  redirect to web portal,and use Active Directory users/password authentication. the below is Policy Set

117222400_1-1729556105618.png

My questions are: 

1. In the Authentication Policy part, the _Staff_WiFi_Auth_Seq (pointing to AD users and computers) seems not required, as it is all "Continue".  what is used for here? 

2. In the Authorization Policy part,

 The first rule is to permit all endpoints in the "Staff_BYOD" group, I checked the group, all successfully passed authentication endpoints will be assigned to it. I thought the purpose is to avoid multiple redirections or authentications. So the if the group member was not purged, it can always connect without authentication. 

The second rule is "Authenticated Staff",  and the condition are "Called Station ID" and "Guest Flow", and result is Permit.  What is the "Guest Flow" condition? Is it a tag? It looks all the users who connected to Staff WiFi will hit this rule and get "Permit". But actually they will go to the third rule "Redirect". It makes confusion. is there any document that can help me understand more about the rule sequences.

The aim to know about the rules is that, we have a Meeting Room Device need to connect to Staff-Wifi, and only the administrator account can do the authentication.So the best is to let it just authenticate once, or it can connect automatically when someone power off then turn it on.

There will be another questions:

How long will the session last before it authenticate again? ( from the live logs, serval hours to one day later, it will re-authenticate or re-create the session automatically)

117222400_0-1729558235072.png

 

Will it redirect to web portal again? ( I think it will hit the first rule in Authorization Policy part, and get "Permit", as the group "Staff_BYOD" was not enabled in the Endpoints Purge settings)

 

Thanks very much.

 

 

 

 

0 Helpful
2 Replies 2

Haydn Andrews
VIP
VIP

‎10-21-2024 06:09 PM

Are you trying to do a captive portal where users authenticate via AD credentials?

Generally the authentication part is Internal Endpoints with continue not found

The rules are then:

Guest Flow which is basically a precanned value to check if the user endpoint is in the list not purged, if that patches give access to network

rule two is generally the portal redirect.

 

In the portal you then link the identify source to AD

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213920-central-web-authentication-cwa-on-cata.html 

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

117222400
Level 1
Level 1
In response to Haydn Andrews

‎10-21-2024 06:39 PM - edited ‎10-21-2024 08:12 PM

Hi Haydn,

Thanks very much for your reply.

Are you trying to do a captive portal where users authenticate via AD credentials? 

--YES, but the web portal is on ISE server

Generally the authentication part is Internal Endpoints with continue not found   

--So it seems needless and we can remove it?

The rules are then: 

Guest Flow which is basically a precanned value to check if the user endpoint is in the list not purged, if that patches give access to network

rule two is generally the portal redirect.   

--So after the rule 2, it will go ahead to rule 3 (redirect)? that's not the common sense rules, which won't go to the next rule if it hits the conditions....

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card