ISE guest user can still access network after deleted from ISE databas

wojtekperdak · ‎10-22-2024

Hi All

We use ISE 3.3.0

We noticed a bit of odd behaviour with guest network access.

Scenario:
Guest user is created on ISE and is connected to network. Once user is deleted from ISE database, he is still able to browse internet, as user delete is not delete his current session and he can still browse internet and reconnect to network without ISE web guest portal redirection, until his session expire or is manually removed from WLC.
Once his current session expire or is removed on WLC then, next time he try to connect to network is redirected to ISE guest portal.

Is it expected behaviour or some kind of bug?
Does ISE should inform WLC once user is removed/suspended to cease his current session?

cheers

Woj

balaji.bandi · ‎10-22-2024

Depends on the work flow,

check the below thread :

https://community.cisco.com/t5/network-access-control/sponsor-portal-guest-account-suspend-delete-and-coa-pod/td-p/3580097

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215931-ise-guest-account-management.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Aref Alsouqi · ‎11-01-2024

I think what you are seeing is expected. When you delete an endpoint from ISE that endpoint reference will still be attached to the WLC until its session expires or until you go and remote the endpoint manually from the WLC clients dashboard.

MHM Cisco World · ‎11-01-2024

It not bug it normal behavior for both ISE and WLC.

You can use sponsor instead of portal which give you ability of deactive specific user.

MHM