Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
703
Views
0
Helpful
5
Replies

Expire account in Cisco ISE1.2

maraz
Level 1
Level 1

‎11-25-2013 06:11 AM - edited ‎03-10-2019 09:07 PM

               Hello,

We are having a Cisco ISE with latest patches and version 1.2. We are doing wireless Dot1x with guestaccounts. And the role for the accounts is "Activatedguest". We are a bit puzzled by the fact that even if accounts have expired we are able to login with them. Seems like a bug. Somebody else that have run in to this?

Labels:
0 Helpful
5 Replies 5

Saurav Lodh
Level 7
Level 7

‎05-23-2014 04:21 AM

ActivatedGuest: Users can bypass the Guest portal and access the network by providing credentials to the native supplicant on their device (such as with IEEE 802.1X (dot1x) authentication.)

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_guest_pol.html

0 Helpful

radu.ioncu
Level 1
Level 1

‎05-26-2014 12:22 AM

Hi,

This would normally mean that you are only authenticating users, and not authorizing them. Check your authorization rules and that you have correctly configured your WLC with "Enable AAA Override".

Radu

0 Helpful

Venkatesh Attuluri
Cisco Employee
Cisco Employee

‎05-29-2014 04:12 AM

have you tried deleting or suspending the account from sponsor portal ?

0 Helpful

kaaftab
Level 4
Level 4

‎06-02-2014 04:32 AM

Do verify which policy is allowing the user to be logging in it will help you narrow down the issue also delete the account and recreate it as suggested in the last post

0 Helpful

mohanak
Cisco Employee
Cisco Employee

‎06-04-2014 06:10 AM

 

ActivatedGuest

Users can bypass the Guest portal and access the network by providing credentials to the native supplicant on their device (such as with IEEE 802.1X (dot1x) authentication.
Some users might make a first connection via another method as the Central Web interface, for example, via 802.1X authentication or via VPN sessions. This would not work if the user is created as “Guest” user. When a user is created as “ActivatedGuest”, its status is immediately set to “Active” and users can immediately logon with other methods as CWA.
 [1] “Password Change at first logon” is not possible for “ActivatedGuests” and

[2] an AUP (Acceptable Use Policy) can’t be shown to “ActivatedGuests”. It is assumed “ActivatedGuests” users inherently agree with the AUP when account is created.

0 Helpful
Customers Also Viewed These Support Documents