Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
182
Views
0
Helpful
1
Replies

ISE - Registered Guest Device Endpoint MAC Database

Go to solution
User42
Level 1
Level 1

‎04-05-2024 09:28 AM

Hi everyone

If I configure Self registered Guest Access:

Guest Register Himself -> Guest Logs in -> Endpoint gets written in the Endpoint Database

Guest User is active for 1 Day. Endpoint purge is every 5 days.

 

Then if the MAC don't change this Endpoint has access for 5 days, is this correct?

Is there a way to connect this two things? So the Endpoint don't have access when the account is disabled?

Thanks in advance!

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎04-07-2024 01:38 PM

There are two approaches

1) Do not use the MAC address "RememberMe" feature - instead, use the Guest Flow method. This ensures that the guest session is authorized immediately after login on the portal, and remains authorized for as long as the session is active (RADIUS Session-Timeout). The only downside is that if the user is roaming, then they will be forced to login again. I have not used this feature in a long time.

2) Use the MAC address (RememberMe feature) and have an Endpoint Purge for each type of Guest Type. The problem with self-registered guests is that they must all be of the same type - they cannot select (at registration) how many days access they need. So you need to make a decision about the duration that applies to ALL self-registered guests. In the most extreme case, you could run an unconditional Endpoint Purge at 3AM every day to purge all self-registered guests.  That might annoy your long-term guests though. But chances are, self-registered guests are more often those that only visit for a day or so. Long-term guests can be created in Sponsor Portal and will be of a different Guest Type, and also have a longer purge interval.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Arne Bier
VIP
VIP

‎04-07-2024 01:38 PM

There are two approaches

1) Do not use the MAC address "RememberMe" feature - instead, use the Guest Flow method. This ensures that the guest session is authorized immediately after login on the portal, and remains authorized for as long as the session is active (RADIUS Session-Timeout). The only downside is that if the user is roaming, then they will be forced to login again. I have not used this feature in a long time.

2) Use the MAC address (RememberMe feature) and have an Endpoint Purge for each type of Guest Type. The problem with self-registered guests is that they must all be of the same type - they cannot select (at registration) how many days access they need. So you need to make a decision about the duration that applies to ALL self-registered guests. In the most extreme case, you could run an unconditional Endpoint Purge at 3AM every day to purge all self-registered guests.  That might annoy your long-term guests though. But chances are, self-registered guests are more often those that only visit for a day or so. Long-term guests can be created in Sponsor Portal and will be of a different Guest Type, and also have a longer purge interval.

0 Helpful
Customers Also Viewed These Support Documents