Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1784
Views
15
Helpful
6
Replies

ISE, WLC: web auth, blocking user account

Jaaazman777
Level 1
Level 1

‎06-25-2013 06:11 AM - last edited on ‎03-25-2019 05:30 PM by Community Manager

Hello!

We are implementing BYOD concept with ISE (1.1.4) and WLC 5508 (7.4.100).

On WLC there is SSID(WLAN) with MAC filtering without L2 security. For authentication user is redirected to the ISE Guest Portal.

Credentials are created at the ISE sponsor portal.

We create user account in ISE sponsor portal with one hour lease.

In 10 minutes we delete (or block)  user credentials.

In spite of it the user is still able to work. Even if we manually disconnect client and reconnect it again, client opens the browser and there is no redirection to the ISE web auth page.

This happens because WLC thinks, that client is still associated.

There are session and idle timeout timers in WLC WLAN, but they can't solve the problem of automatic client session removing.

From my point of you, ISE must send some kind of reauth request to the user after account deletion, to make user authentication impossible .

In practice, ISE doesn't tell wlc or user, that client sesssion is blocked.

How the user account blocking process can be automated without manually deleting the client session from WLC client database?



Labels:
0 Helpful
6 Replies 6

Shaoqin Li
Level 3
Level 3

‎06-25-2013 09:10 AM

I can't remember precisely, but once guest account timed out or admin deactivate it, ISE should send CoA to WLC, please check user guide.

You get redirected successfully so I would think you are correct with WLC config, with radius nac and aaa override.

check ISE live log whether it send CoA to WLC first.

Sent from Cisco Technical Support iPad App

Ravi Singh
Level 7
Level 7

‎06-25-2013 08:40 PM

Shaogin is absolutely right. After the endpoint is created or updated, a success page appears, followed by a CoA termination being sent to the NAD/WLC. There is some problem with ISE configuration please cross check. For more detail you can see the below link.

http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_guest_pol.html

Jaaazman777
Level 1
Level 1

‎06-26-2013 01:05 AM

Thank you for reply!

sending CoA to WLC after deleting guest account really seems to be true way =)

After the endpoint is created or updated, a success page appears, followed by a CoA termination being sent to the NAD/WLC

Is it a default behaviour of the ISE?

I didn't find the information about enabling or disabling this function

0 Helpful

Ravi Singh
Level 7
Level 7
In response to Jaaazman777

‎06-26-2013 01:08 AM

Yes this is the default behaviour of ISE.

0 Helpful

Jaaazman777
Level 1
Level 1
In response to Ravi Singh

‎06-26-2013 01:49 AM

It seems that there is some bug about CoA when deleting Guest accounts

CSCuc82135

Guests need to be removed from the network on Suspend/Delete/Expiration

When a guest user is deleted from the system, the RADIUS sessions   associated with that guest user still exists.

Workaround   Reissue the Change of Authorization using the   session information from Monitoring reports for the sessions associated with   that guest user.

http://www.cisco.com/en/US/docs/security/ise/1.1.1/release_notes/ise111_rn.html#wp411891

from BUG Toolkit there is Release-Pending in "Fixed-in" option.

0 Helpful

Jaaazman777
Level 1
Level 1

‎06-26-2013 05:48 AM

Practical tests show that

- ISE does not send CoA automatically, when you delete or suspend user account.

- When account is expired by timer, CoA works well. 

In other words, when we give DefaultOneHour profile to user account, after one our ISE expires the account and sends CoA to the client.


0 Helpful
Customers Also Viewed These Support Documents