Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
955
Views
2
Helpful
2
Replies

Is it possible to quarantine a user after X days?

Go to solution
aguilozano
Level 5
Level 5

‎09-15-2016 10:42 AM

All,

I'm looking for a way to quarantine a user account, doing EAP-TLS authentication and posturing, if they don't log into the network after a certain amount of days.  I've opened up a TAC case with this request, and it looks like there is no native way for Cisco ISE to determine the last time a user last logged in and then create a policy around that.

This request came through originally as q request to configure the "inactivity timer" which is defaulted to 30 days, however, this timer is just the amount of time Cisco ISE keeps track of the endpoint data before it purges it.  Nothing to do with AuthC or AuthZ policies.

Basically looking to include this in an Authorization Policy:

Determine if the client has logged in within 30 days, IF NOT = Remedation Policy or Quarantine Policy.

Any ideas, built in to ISE or not, are all welcome.

1 Accepted Solution

Accepted Solutions

Go to solution
imbashir
Cisco Employee
Cisco Employee

‎09-15-2016 03:08 PM

If the customer is using AD, there are ways in AD to disable user accounts after a certain in-activity e.g.

https://social.technet.microsoft.com/Forums/sharepoint/en-US/f878d9ca-f534-4dfd-bb56-1518dbf9cd0a/lock-ad-account-after-inactive-for-30-days?forum=winserverGP

Under ISE, we can purge Guest users after a configured in-activity

View solution in original post

2 Replies 2

Go to solution
imbashir
Cisco Employee
Cisco Employee

‎09-15-2016 03:08 PM

If the customer is using AD, there are ways in AD to disable user accounts after a certain in-activity e.g.

https://social.technet.microsoft.com/Forums/sharepoint/en-US/f878d9ca-f534-4dfd-bb56-1518dbf9cd0a/lock-ad-account-after-inactive-for-30-days?forum=winserverGP

Under ISE, we can purge Guest users after a configured in-activity

Go to solution
aguilozano
Level 5
Level 5
In response to imbashir

‎10-01-2016 12:41 PM

Thank you.  It looks like Cisco ISE can't do this without AD making changes to the user account.  I discussed this with a few Microsoft AD engineers and they will be developing a script for me.  I'll share it here when they put it all together.

0 Helpful
Customers Also Viewed These Support Documents