Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Guest WiFi Time Profile

I have created a guest user and selected a Time Profile that is supposed to allow the user to remain logged in for 3 weeks (by selecting the default time profile in Sponsor portal, Three_Weeks). According to ISE guidelines, this user should not be disconnected from first login until 3 weeks!

In testing this setup with a user having an Android phone, the user stayed connected the whole day. However when the user came in the next day, this morning and connected to the guest WiFi SSID, he was prompted to login. In ISE the Authentication logs show that the user is still logged in since yesterday.

The expectation was that the guest user will not be required (i.e. prompted) to login again the next day. How can this be achieved with Android and other smartphones (iPhone, Windows)?

Systems Infor: ISE ver 1.1.1; WLC 5508 software ver 7.2.111.3

Many thanks.

Sankung

Everyone's tags (1)
7 REPLIES

Guest WiFi Time Profile

I persoanlly havent configured this option yet. Can you share where its mentioned that once a client logs in it will not have to log in again during the allowed time period ?

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Guest WiFi Time Profile

You will need to disable the idle timer for your open ssid (make sure you enable CoA support too), otherwise the wireless controller will drop the session at some point after the device has disconnected, and the ISE server won't be able to match the session id to the logged in guest user, and will then match your webauth redirect rule instead.

Community Member

Guest WiFi Time Profile

Hi,

Would it be better/easier to create a separate WLAN and SSID, and then enable MAC Filtering for this WLAN on the WLC? I don't know whether this would conflict with RADIUS server settings.

Many thanks.

Sankung.

Re: Guest WiFi Time Profile

If we are talking about user idle timeout that's a problem. If you lengthen that value clients will sit in your tables for extended amounts of time. You would be surprised how many devices wall off and never send a deauth.

As for the issue at hand. I poked around and didn't find anything documented stating the option they would never have to log in again. It's normal procedure for a client to present their values if they walk away from the network. Especially if that devices is lost or stolen.



Sent from Cisco Technical Support iPad App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
Community Member

Re: Guest WiFi Time Profile

Hi Sankung

Time profiles allow a sponsor to assign different levels of access time to a guest account. For example,

you can assign a time profile that allows a guest access during a workweek day but not during a weekend

day.

After time profiles are created, you must change the sponsor user group to allow sponsors in that group

to be able to provision accounts to the appropriate time profiles that are created. You can choose the

sponsor user groups that are allowed to assign certain time profiles to guests.

By default, a sponsor user group has the ability to assign guests to the default time profile.

Administrators can choose which additional time profiles the sponsor can be assigned, and they can also

remove the default time profile from the user group.

Each sponsor user group must have the ability to assign guests to at least one time profile.

If a sponsor user group has only one time profile selected, sponsors will be able to select that time profile

alone. If sponsors can choose more than one time profile, they can view a drop-down menu from which

they can choose the time profile to be assigned to the account during the account creation.

Step 1 From the Cisco ISE Administration interface, select Administration > Guest Management > Settings.

Step 2 In the Settings panel, select Guest > Time Profiles.

Step 3 Click one of the following:

   • Add—to create a new time profile

   • Edit—to edit an existing time profile

   • Duplicate—to duplicate an existing time profile

Step 4 Enter the name and description of the new time profile.

Step 5 Select a Time Zone for Restrictions. Time Restrictions are a set of time periods during which a guest

           account associated with that time profile would not be granted access to the network or guest portal.

Step 6 From the Account Type drop- down menu, choose one of the predefined options:

   • StartEnd—allows sponsors to define start and end times for account durations

   • FromFirstLogin—allows sponsors to define the duration of time that guests can have access after login

   • FromCreation—allows sponsors to define the duration of time that guest can have access after account creation

Step 7 Set the Duration for which the account will be active. The account expires after the duration set here

           has expired. This option is available only if you select the Account Type as FromFirstLogin or FromCreation.

Step 8 Set the Restrictions for the guest access.

           These restrictions are composed of a day of the week and a start and end clock time. The Time Zone

            value specified in the time profile affects the clock times set in any of the Time Restrictions within the

             time profile. For example, a Time Restriction that specifies Monday 12:00 am to 8:00 am and Monday

             6:00 pm to 11:59 pm would only grant system access between 8:00 am and 6:00 pm on Mondays within

            the time zone of the time profile. Any other day of the week would have no time restriction in this example and 

            system access would be granted at any time.

Step 9 Click Submit.

Time profiles do not define the start and end times. This is done during the account creation. The time profile can have restrictions that fall outside the start and end time specified in a Guest account while creation. Only those restrictions that cover the start end time of the account will be applied to the account.

Best Regards:


Muhammad Munir

Community Member

Guest WiFi Time Profile

Hi Guys,

I decided to use just Layer 2 security (WPA2+PSK) for the WLAN/SSID and turned off layer 3 web policy (i.e. disabled web authentication). I think that is more manageable than MAC filtering.

Anyway, many thanks to everyone for sharing your thoughtd and advice.

Regards

Sankung

Community Member

Re: Guest WiFi Time Profile

Time profiles do not define the start and end times. This is done during the account creation. The time

profile can have restrictions that fall outside the start and end time specified in a Guest account while

creation. Only those restrictions that cover the start end time of the account will be applied to the

account.

For a WLC the Allow AAA Override must be turned on in the WLAN configuration. The RADIUS

access-accept will contain a Session-Timeout value in seconds, remaining for the account. When this

time has elapsed, NAD will close the connection.

511
Views
0
Helpful
7
Replies
CreatePlease to create content