06-30-2016 01:44 AM
Hi,
Our customer wants to use 1 guest account (not generating a new account per visitor) with - after authenticating on the web portal - 30min access to the wireless network.
After that, the user should get the portal once again and log in with those account details to have another 30min of network access.
I understand that 30min accounts can be configured, but is it supported to
Any other complications you might see?
The alternative I was thinking about, was using an internal user and setting a re-auth timer of 30min. Not sure how well that would work.
Regards
Gert
Solved! Go to Solution.
06-30-2016 08:41 AM
If you create a 30 min account then it will only be good for 30 min.
You're really looking for a sort of 30 min hotspot, right? You can create a permanent internal account and give that out. Rotate it when you like. Beware that if you're doing BYOD flow enabled on same portal then this account will go through BYOD. If that's the case you would use another portal or create a long term guest account to use instead.
Does this credential ever need to be regenerated? Or can it be a static username/password that just sits in the page? Do they have to have access to the username password or can it be embedded (hidden) in page?
Radius session timeout can be set to 30 min to kick the user out and then relogin
06-30-2016 08:41 AM
If you create a 30 min account then it will only be good for 30 min.
You're really looking for a sort of 30 min hotspot, right? You can create a permanent internal account and give that out. Rotate it when you like. Beware that if you're doing BYOD flow enabled on same portal then this account will go through BYOD. If that's the case you would use another portal or create a long term guest account to use instead.
Does this credential ever need to be regenerated? Or can it be a static username/password that just sits in the page? Do they have to have access to the username password or can it be embedded (hidden) in page?
Radius session timeout can be set to 30 min to kick the user out and then relogin
07-03-2016 10:43 PM
Hi Jason,
Thanks for the reply!
The guest username/password is static and will only need to be changed every couple of months/year by the ISE admin. With that in mind, an internal user would be a good match.
To configure this, I was initially thinking of a specific guest type, however that is probably not helping as we would be using internal users, rather than guest users.
Can you confirm the Cisco WLCs are supporting the RADIUS session-timeout attribute?
I believe I would configure the ISE authorization profile to be:
Many thanks
Gert
Gert Tilburgs - CCIE R&S 21187
Network Consulting Engineer
Cisco Security Services
Phone: +3227046188 - Email: gtilburg@cisco.com
For corporate legal information go to:
http://www.cisco.com/web/about/doing_business/legal/cri/index.html
07-05-2016 08:27 AM
yes be sure to have allow AAA override on the WLAN
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: