Ok what your customer wants is not possible in ISE, i mean i don't see any workaround making it working.

Usually you allow guest for x days and if they come back they'll go through the same process again. And more than that if you granted them access for 2 days, they can connect as much as they want. 

Maybe there's another solution but can you detail the real use case?

hay que aclarar algo, la cuenta guest dura un periodo especifico de dias luego de lo cual expira y NO se puede reusar porque ya no esta vigente. PERO esa cuenta se puede "reinstate" manualmente por el administrador del ISE. Tendrias que investigar si se puede crear un script que busque por ese usuario en la base de datos y reinstale/reactive esa cuenta de invitado que estaba expirada luego de un numero X de dias a tu criterio SINO, hacerlo a mano como te senale antes.

Hola

Si claro tienes toda la razón el tema es que yo monté un Script sobre un portal auto register para que funcionara como Hot Spot pero solicitando datos. (Nombre y correo)

Entonces la idea es que esos usuarios que se autoregistran no lo hagan constantemente, si no que duren bloqueados cierto tiempo.

Muchas gracias por tu tiempo.

No le encuentro sentido a que permitas un autoregistro y que no puedan usar la cuenta de inmediato.

No, mira el tema es así:

1. El usuario usa el portal, se registra e inmediatamente brinda acceso a internet por una hora.

2. Al terminarse la hora la cuenta expira y el usuario ya no tiene acceso.

3. Nuevamente el usuario va a intentar conectarse, nuevamente se despliega el portal cautivo donde el usuario nuevamente hace el proceso con otro nombre y le da acceso a internet.

Lo que quiere el cliente es que el paso 3 solo sea permitido un día después, es decir que el mismo usuario (PC-Celular) no pueda reconectarse nuevamente.

Gracias

Hi Leo,

I suspect you will have to create an AUTHZ Policy using MAB.

Not sure if the following helps:

1.-Initial Guest Account creation, 1 hour use. Successful access. MAC address enduser device automatically added to an ISE Endpoint Group.

2.-1 hour later, account expired but the MAC is still in the DB

3.-User tries to create another Guest account with different username/email, hits an AUTHZ policy that says IF MAC in GuestEndpoint DB then deny access OR redirect to a warning page that could say something like: "you have reach the maximum amount of allowed wireless internet service".

4.-You purge the Guest Endpoint Group every 24 hours.

Hi,

I already did that but for some reason after a couple of minutes I get kick off, maybe the ISE check's time to time something about policies matching or some process that make me hits that rule.

Thanks a lot for your time.

802.1x requires an entire reauthentication (not reassociation) when roaming. Not sure if the same happens on CWA. Just to be safe, do you have session timeout enabled on that SSID?

Yes, the default 1.800.

Thanks

I'm sorry to disturb but if the post starts in English, it would be appreciated to continue in the same language, then everybody can help and understand what's going on.

Yes, I agree.

Sorry about that.

I was explaining the process that my customer want's to blocked or not permit.

The flow is something like this:

1. Users connect to the SSID with CWA (Auto register with HTML mod for Hot Spot) fill the form a get access to Internet for one hour.

2. After that hour the users get expired and finally kick out.

3. The users try to reconnect and again the CWA is displayed, then the user fill again the form with another name and get access to Internet for another hour.

What my customer wants is to block for certain time that user (PC-Smartphone) to get reconnected.

Thanks and again sorry for the language.

When you say for certain time, does this means specific hours in the day or wait x minutes/hours after its last login?