Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ISE Guest account expired but user still authenticated

I am testing the CWA and noticed that even though the guest account has expired the connection is still up and the switchport shows:

ISEtest3560#show authentication sessions interface fastEthernet 0/2

            Interface:  FastEthernet0/2

          MAC Address:  001d.09cb.78bd

           IP Address:  10.2.8.31

            User-Name:  joe.harbison@csiweb.com

               Status:  Authz Success

               Domain:  DATA

      Security Policy:  Should Secure

      Security Status:  Unsecure

       Oper host mode:  multi-auth

     Oper control dir:  both

        Authorized By:  Authentication Server

           Vlan Group:  N/A

              ACS ACL:  xACSACLx-IP-GUEST-524448ff

      Session timeout:  N/A

         Idle timeout:  N/A

    Common Session ID:  0A0003E60000004009EEE336

      Acct Session ID:  0x00000380

               Handle:  0xC2000040

Runnable methods list:

       Method   State

       dot1x    Failed over

       mab      Authc Success

I would have thought that when the account was no longer valid the switch would have gone back to its default state.  Also on the legacy NAC you could see the guest accounts as a local account, when we create a guest account throught the sponsor portal we don't see it in the Guest Identity group.  We are looking @ that group for within one of our authorizational profiles.

Thanks,

Joe

13 REPLIES
New Member

ISE Guest account expired but user still authenticated

Update:

Still having the same issues, I have tested by allowing an account to expire, there is no CoA or any radius messages sent to the switch and the user stays authenticated.  If I do a CoA from ISE the port does recieve radius messages and since and it goes back to the "Web Auth" authorization profile.  Even if I suspend the account the user is still authenticated.

Has anyone else experience this?

Thanks,

Joe

New Member

ISE Guest account expired but user still authenticated

I'm thinking that it would be based on the command:

authentication timer reauthenticate xxxx

I'm not sure I've seen anthing that sends a CoA on expiry of a guest account, the switch would have to trigger.

If you clear suth sess int fa0/2 what does it do then?

You will not be able to see sponsor created accounts within the guest account section. This lists only accounts created manually through the ISE GUI. As far as I know the only way to see the sponsor created accounts is through a sponsor all account on the sponsor portal (for all of them), or through the individual sponsor own/sponsor group.

New Member

ISE Guest account expired but user still authenticated

I am confused on how the revocation of access occurs for a guest account.  From what I have experienced as long as the guest doesn't unplug their device (only testing wired now) they have full guest access even if thier account expires or is suspeneded.  Does the "authentication timer reauthenticate xxxx" tell the switch to check the status of each port to determine if is valid?  My lack of knowledge might be the issue here, but I would expect that the authorization part would go back to "web auth" if the users account has been disabled or suspended. 

To answer your question, if I clear the aut session int fa 0/2, the port goes past the authentication MAB and then hits the CWA Authorization profile.  If the use attempt to browse they are presented with the guest login portal.  This what I would have expected automatically when the account has expired.

Thanks,

Joe

New Member

Re: ISE Guest account expired but user still authenticated

yes i got the same problem ,

plus i noticed that this issue appears when the guest accounting is made via wired device (cat3750 , or cat 4500 ) ,

but not via a wireless device ( ex : WLC don't seems to suffer of the same problem ) ,

New Member

Re: ISE Guest account expired but user still authenticated

So the ISE can send some type or CoA to the WLC but can't to a switch?  Do you see any messages that come from ISE to the WLC that aren't present when guest account expires for wired?

This seems to be a feature that could be implemented or am I over simplifying this?

Thanks,

Joe

New Member

Re: ISE Guest account expired but user still authenticated

The authentication timer reauthenticate xxxx tells the switch (on an individual port basis) when to go back to ISE for re-authentication.
It would be good if when a guest account expires, that Change of Auth we're sent to the switch automatically to proactively initiate the same from the ISE. But I don't believe it does.
Not a problem in most cases where guests are given a day or a week access, but not so good if you're strictly controlling access by the hour for instance.
What version are you using?
I'm interested in having a look through to see whether it is possible to send a CoA automatically from ISE.
I suspect not, unless introduced in 1.2 and it's subsequent patches.

Sent from Cisco Technical Support iPhone App

New Member

Re: ISE Guest account expired but user still authenticated

In the mean time, do you know that your CoA is working for any other application?
I.e do you have dynamic author set up correctly on the switch? Would it be allowed through any firewalls, or are there none?
So...if ISE we're able to issue CoA on guest account expiry, would it get through to your switch and be accepted?

Sent from Cisco Technical Support iPhone App

New Member

Re: ISE Guest account expired but user still authenticated

We are running version 1.1.4.218.

If I do a CoA from the Session Directory, Radius Active Sessions, I do see that the port does change status.  I would expect that this proves ISE can do a CoA on the switch, correct?

If ISE doesn't do a CoA on a guest account switch port and there is no authentication timer reauth xxxx command on the port then after the guest authenticates there is no restriction to the port until the port state changes? 

Thanks,

Joe

New Member

Re: ISE Guest account expired but user still authenticated

Yes, correct. The reauth timer should be set to suit, but it does seem to be a weakness that an expired guest account doesn't force CoA.

Sent from Cisco Technical Support iPhone App

New Member

Re: ISE Guest account expired but user still authenticated

I put the command authentication timer reauthenticate 60 on interface fa0/2, setup a guest account that was restricted to 1 hour.  The guest account has now expired but the interface still shows authenticated:

ISEtest3560#show authentication sessions interface fastEthernet 0/2

            Interface:  FastEthernet0/2

          MAC Address:  001d.09cb.78bd

           IP Address:  10.2.8.31

            User-Name:  gtest@test.com

               Status:  Authz Success

               Domain:  DATA

      Security Policy:  Should Secure

      Security Status:  Unsecure

       Oper host mode:  multi-auth

     Oper control dir:  both

        Authorized By:  Authentication Server

           Vlan Group:  N/A

              ACS ACL:  xACSACLx-IP-GUEST-524448ff

      Session timeout:  N/A

         Idle timeout:  N/A

    Common Session ID:  0A0003E60000004F1EAC0F55

      Acct Session ID:  0x000004B4

               Handle:  0x0D00004F

Runnable methods list:

       Method   State

       dot1x    Failed over

       mab      Authc Success

I assume that the value for the command is in seconds, correct?

Thanks,

Joe

New Member

Re: ISE Guest account expired but user still authenticated

joeharb wrote:

I put the command authentication timer reauthenticate 60 on interface fa0/2, setup a guest account that was restricted to 1 hour.  The guest account has now expired but the interface still shows authenticated:


Hi joe ,

regarding "reauthenticate xx" command , 60 min is default timer  for reauth , a swichport with no specific setting does reauth every 60  min automatically , i personally tried every variation of reauth/deauth commands on the switchport

but nothing seems to work.

"WLC connected guests" seems to perform the CoA but is quite diffrent scenario ;

since we use a vlan "Xxx" as a "limbo" space where we

got fews acls redirecting traffic from the lan to our ISE policy server nodes in order to be authenticated,

I suppose , but maybe i'm wrong , that somehow changing ip from the limbo VLAN to the one where the host is suppose to land according to our ISE policy made ise "wakeup" and force it to send a CoA to the WLC.

Otherwise in the wired scenario ,the vlan where hosts are when they're  authenticating is the sameone used

for navigation , so the catalyst switch somehow still"belive" to be in front of a valid ( still auth ) connection

and permit the host to make traffic.

As you suggest i gotta check the WLC log output when a guest expires ...see what we got different from the CAT4500 one.

ByeZ

eugenio

New Member

ISE Guest account expired but user still authenticated

I am agree with the second comment from the ID (bikespace) only suggestion from my side will the rules made for the guest users in ISE.

If possibly many rules are made sometime It happens to move the rule to top for the effect.

New Member

Re: ISE Guest account expired but user still authenticated

bump....

any news?

btw i already opened an official case to cisco-support

i'll let you know something as soon as i got an official answer

eugenio

Official news from CIsco :

After  reviewing and researching on this issue I found that you are looking to ISE to remove the endpoint after the guest user credentials expire, is  that correct? If yes, ISE does not have this feature today. I have  informed your account NCE team with some more information and presently  waiting on them. Once I hear back I will update you more on this issue.

Thank you for your time and co-operation.

Regards,

so....that's it guys

sorry

Message was edited by: eugenio desideri (after Cisco Official Response to my opened case)

1439
Views
0
Helpful
13
Replies
CreatePlease to create content