09-27-2013 12:14 PM - edited 03-10-2019 08:56 PM
I am testing the CWA and noticed that even though the guest account has expired the connection is still up and the switchport shows:
ISEtest3560#show authentication sessions interface fastEthernet 0/2
Interface: FastEthernet0/2
MAC Address: 001d.09cb.78bd
IP Address: 10.2.8.31
User-Name: joe.harbison@csiweb.com
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
ACS ACL: xACSACLx-IP-GUEST-524448ff
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A0003E60000004009EEE336
Acct Session ID: 0x00000380
Handle: 0xC2000040
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success
I would have thought that when the account was no longer valid the switch would have gone back to its default state. Also on the legacy NAC you could see the guest accounts as a local account, when we create a guest account throught the sponsor portal we don't see it in the Guest Identity group. We are looking @ that group for within one of our authorizational profiles.
Thanks,
Joe