Security

Does anyone know of a way to disconnect clients that don't authenticate after a certain period of time?  We have a Captive Portal SSID which has a large number of clients that connect but never logon.  They just sit in the "guest-logon" role.

I'd like to find a way to force them to authenticate or disconnect (maybe even blacklist) them.

Any ideas would be appreciated.

Idle users will time out after "user idle timeout" value. By default it is set to 300 seconds (5 minutes). Even the logon user lifetime (time for which it can stay in initial role without authenticating) is set to 5 minutes by default. 

Check the value on your controller using the following command 

# show aaa timers 

User idle timeout = 300 seconds

Logon user lifetime = 5 minutes

Aren't the clients just going to reconnect?

You might want to consider my PSK SSID recommendation. Making the SSID name something like: password_is_guest

On the master controller, select configuration, and under security select authentication. click on layer 3 tab and select captive portal authentication. Select your guests CP Profile, and on the right hand side, scroll to the bottom and under user idle timeout you can adjust the value there. Keep in mind, users will have to disconnect before this will take effect.