06-25-2013 06:11 AM - last edited on 03-25-2019 05:30 PM by ciscomoderator
Hello!
We are implementing BYOD concept with ISE (1.1.4) and WLC 5508 (7.4.100).
On WLC there is SSID(WLAN) with MAC filtering without L2 security. For authentication user is redirected to the ISE Guest Portal.
Credentials are created at the ISE sponsor portal.
We create user account in ISE sponsor portal with one hour lease.
In 10 minutes we delete (or block) user credentials.
In spite of it the user is still able to work. Even if we manually disconnect client and reconnect it again, client opens the browser and there is no redirection to the ISE web auth page.
This happens because WLC thinks, that client is still associated.
There are session and idle timeout timers in WLC WLAN, but they can't solve the problem of automatic client session removing.
From my point of you, ISE must send some kind of reauth request to the user after account deletion, to make user authentication impossible .
In practice, ISE doesn't tell wlc or user, that client sesssion is blocked.
How the user account blocking process can be automated without manually deleting the client session from WLC client database?
06-25-2013 09:10 AM
I can't remember precisely, but once guest account timed out or admin deactivate it, ISE should send CoA to WLC, please check user guide.
You get redirected successfully so I would think you are correct with WLC config, with radius nac and aaa override.
check ISE live log whether it send CoA to WLC first.
Sent from Cisco Technical Support iPad App
06-25-2013 08:40 PM
Shaogin is absolutely right. After the endpoint is created or updated, a success page appears, followed by a CoA termination being sent to the NAD/WLC. There is some problem with ISE configuration please cross check. For more detail you can see the below link.
http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_guest_pol.html
06-26-2013 01:05 AM
Thank you for reply!
sending CoA to WLC after deleting guest account really seems to be true way =)
After the endpoint is created or updated, a success page appears, followed by a CoA termination being sent to the NAD/WLC
Is it a default behaviour of the ISE?
I didn't find the information about enabling or disabling this function
06-26-2013 01:08 AM
Yes this is the default behaviour of ISE.
06-26-2013 01:49 AM
It seems that there is some bug about CoA when deleting Guest accounts
Guests need to be removed from the network on Suspend/Delete/Expiration When a guest user is deleted from the system, the RADIUS sessions associated with that guest user still exists. Workaround Reissue the Change of Authorization using the session information from Monitoring reports for the sessions associated with that guest user. |
http://www.cisco.com/en/US/docs/security/ise/1.1.1/release_notes/ise111_rn.html#wp411891
from BUG Toolkit there is Release-Pending in "Fixed-in" option.
06-26-2013 05:48 AM
Practical tests show that
- ISE does not send CoA automatically, when you delete or suspend user account.
- When account is expired by timer, CoA works well.
In other words, when we give DefaultOneHour profile to user account, after one our ISE expires the account and sends CoA to the client.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide