WCS expiring guest accounts early

Unanswered Question
Aug 22nd, 2011

Hi Folks, We've had a number of reports from our Service Desk (who create the guest accounts for us) that they've been getting users who have long-term accounts (90days) expire early.

I've taken a look at the settings and sure enough, today there are accounts on WCS that are showing as expired but have a long life time.

Example:

User(x) created on 13th July with an expiry of the 15th Sept

User(y) created on 12th July with an expiry of the 12th Oct

This is only a couple listed here but the problem seems to be widespread accross long-life accounts. I've checked the clocks and they're all synced between WCS and the WLC's, when accounts are created they are done through WCS and pushed down to the single mobility anchor (our topology is 6 WLC's split over 2 sites, with a 7th WLC for MA with a toe in the internet DMZ)

We're running 7.0.172.0 of WCS and 7.0.116.0 on all the WLC's I think the problem has started to occur as it's really only now that we're using longer life-time accounts in anger. 

Originally the accounts were being deleted by the cleaner process, so it just looked like the accounts were disappearing - we've stopped this and now it just shows that they expire.

Any suggestions that you can give as to why this might be occuring would be great!  Unfortunaly we can't create 'unlimited' accounts as our policy is that they should have a lifetime of no more than 3 months, so the overhead on monitoring would be too big - so there has to be an automated process.

Thanks in advance!

Kev

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
hogant Tue, 09/06/2011 - 13:02

Hi Kev,

  Found your note - I have similar issues - running same versions of code.

  Any update?

  I have tac case open and will post any findings.

 

  Tim

kev-matthews Mon, 09/12/2011 - 01:18

Hi Tim, I forgot all about this thread (have been on holiday).  It looks like 30 days is the longest time period that you can set an account.  Despite WCS allowing you to set accounts with a huge lifetime, when it gets pushed down to the WLC, the WLC max-lifetime kicks in at 30 days.  (to verify this I logged into the VTY and tried to configure a guest account and the largest you can get is 30 days). So, it looks like we need to purchase some identity management tech to get over that one. Hope that helps Kev

hogant Tue, 09/13/2011 - 11:46

Thanks for the update. Will let you know if I find anything new.

The WCS is suppose to manage and re-issue credentials as the expire.

Traces and logs provided to Cisco show the auto expiration but not the re-issue.

Cisco is checking in there labs.

Take Care,

Tim

kev-matthews Tue, 09/13/2011 - 11:57

Thanks Tim!

That makes sense in that it would in some ways explain why there's one guest account that does seem to keep rolling (for no apparent reason!)

Please do keep me posted :o)

Kev

Sent from Cisco Technical Support iPad App

hogant Tue, 10/18/2011 - 09:14

TAC update: CSCtt17518 will be fixed.  The fix is to extend that life of the guest user to beyond the 30 day limit that the controller currently has.  So that fix is in the controller code.  The WCS code will also need to be fixed to allow guest users to be able to be pushed to the controller with a life longer than 30 days.  At this time it looks like both fixes will be in 7.0MR3 and 7.2.  Since 7.0MR2 is scheduled to come out within a week or two and 7.0MR3 will not be available until at least Feb. 2012

kev-matthews Tue, 10/18/2011 - 14:05

Thanks Tim, I'm guess it'll give me a 'service improvement' to mark on my performance review next year!

naburleson Thu, 11/08/2012 - 06:38

I upgraded to WLC 7.0.235.0 and WCS 7.0.230.0 and am still getting users complaining about their accounts expiring early.  Someone please correct me if I have misread something but the WCS is suppose to check the account every so often and re-provision the account based on the expire date set?  We setup our users with 90day accounts that is pushed to two 5508 controllers running the code above, the process works well but the expiration of accounts has become a issue.  Anyone know if the bug was truly fixed in 7.0.235 code or do I need to set the lifetime of the account lower.      

naburleson Mon, 11/19/2012 - 06:23

I've confirmed the new code is provisioning account correctly now for periods longer than 30 days.  Accounts that were provisioned prior to the code upgrade were  set to 30 days because of the previous bug but once your provision a new user it applies the correct lifetime to the account.

Actions

Login or Register to take actions

This Discussion

Posted August 22, 2011 at 3:23 AM
Stats:
Replies:8 Avg. Rating:
Views:1944 Votes:0
Shares:0

Related Content

Discussions Leaderboard