Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2744
Views
0
Helpful
21
Replies

ISE Guest re authentication

Leonardo Pena Aristizabal
Level 1
Level 1

‎06-23-2018 11:53 AM - edited ‎02-21-2020 10:59 AM

Hello Community,

 

I have a customer that wants guest users expire be blocked for some time (one day) after that time they get authorize to reauthenticate again through the captive portal.

 

It’s possible?

 

Thanks a lot

Labels:
0 Helpful
21 Replies 21

Leonardo Pena Aristizabal
Level 1
Level 1
In response to Francesco Molino

‎06-25-2018 01:04 PM

x minutes/hours after its last login.

 

Thanks

0 Helpful

ajc
Level 7
Level 7
In response to Leonardo Pena Aristizabal

‎06-25-2018 01:05 PM - edited ‎06-25-2018 01:09 PM

I know there is something called ELAPSEDdays for the MAC address in the ISE Endpoint DB. Not sure if there is something called ElapsedHours, let me check

 

UPDATE: Only the first one. What if you try something like an AUTHZ policy that says:

 

If Endpoint ElapsedDays equal or greater to 1 day, then CWA

 

Let's see why you are getting disconnected.

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to ajc

‎06-25-2018 01:24 PM

Yes the only thing possible is in terms of days and not hours.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Leonardo Pena Aristizabal
Level 1
Level 1
In response to Francesco Molino

‎06-25-2018 01:36 PM

So you think is possible to block a MAC/User within a day?

If yes can you please explain me how?

 

Thanks.

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to Leonardo Pena Aristizabal

‎06-25-2018 01:49 PM

Nope, I was answering regarding Elapsed time expressed only in days and not hours.

For your issue, does a user has to sign a AUP? If so, you can maybe play with the condition EndPoints·LastAUPAcceptanceHours and block the user. Usually this is used to force a user re-sign AUP but in your case, you can use it to deny access with the following example:
rule 1: if EndPoints·LastAUPAcceptanceHours is less than 240 accept
rule 2: if EndPoints·LastAUPAcceptanceHours is less than 120 deny

I mean you can play with it and test if it can make working what you're trying to achieve.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Leonardo Pena Aristizabal
Level 1
Level 1
In response to Francesco Molino

‎06-25-2018 02:00 PM

I think that's the way, let me check.

 

Thank you very much

0 Helpful

ajc
Level 7
Level 7
In response to Leonardo Pena Aristizabal

‎06-25-2018 02:17 PM - edited ‎06-25-2018 02:21 PM

I was checking and I got the same as Francesco, via Last AUP Acceptance. The ElapsedDays is only for the Purge Endpoints part.

 

pic5.png

0 Helpful
Customers Also Viewed These Support Documents