Cisco ISE Force Guests to accept AUP

Here is how I usually configure NEW-Guest-Endpoints purge policy and options we have.

Administration > identity Management > Settings > Endpoint Purge

ElapsedDays—Number of days since the object is created.

For every day purge:

Elapsed Days less than 1“: This should work for brand new endpoints, but what if you implement this purge rule after ISE has already learned the MAC addresses for a few days. Now they will never get purged.

Elapsed Days less than 9999“: All MAC addresses in the ISE are less than 9,999 days old. If the MAC address is in the NEW-Guest-Endpoints group it will get purged. This one is good if ISE already learned MAC addresses and they are already in the system

For after 48 hours purge:

Elapsed Days EQUALS 2“. The timer starts when the endpoint is first learned by ISE.

1. Example 1
Day 0 – 9 am – an endpoint is learned – elapsed days = 0   
Day 1 – 3 am – scheduled purge   
Day 1 – 9 am – elapsed days = 1
Day 2 – 3 am – scheduled purge
Day 2 – 9 am – elapsed days = 2 
Day 3 – 3 am – scheduled purge – the endpoint is removed
Total: 66 hours

2.  Example 2
Day 0 – 2:30 am – an endpoint is learned – elapsed days = 0   
Day 0 – 3 am – scheduled purge   
Day 1 – 2:30 am – elapsed days = 1
Day 1 – 3 am – scheduled purge
Day 2 – 2:30 am – elapsed days = 2 
Day 2 – 3 am – scheduled purge – the endpoint is removed
Total: 48.5 hours

How to make it more accurate

Another way to force user for AUP is LastAUPAcceptanceHours attribute in the AuthZ rule:

In this case we still would prefer to purge Guest MAC addresses but it is more accurate in terms of timing. Any there any cons?

Share

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *