Hello,
I have a client running Guest on CPPM 6.6 and a Cisco WLC (v. 8.0.121.0).
As the subject outlines, expired guest accounts are still able to connect. I created the services using the templates. Default policy is for 4 hour access, access-code based, so a user need only enter their contact information and then hit 'submit' to gain access to the internet. After 4 hours however, they are not logged out, and if the device disconnects and then reconnects at a later time, they are still granted access.
SSID is configured w/ MAC filtering, upon failure it will redirect to captive portal landing page.
Reject Packet Delay on CPPM is set to 0.
Attached are screenshots of the config.
SSID:
Guest Service:
MAC auth service:
Sample Access Tracker entry:
As you can see, the Captive Portal redirect is being sent from CPPM to the WLC, however the user is still allowed on. In my client's words: "a pop-up appears briefly, but not long enough to actually load the captive portal page", and then he is simply allowed onto the network.
The only thing I potentially think could be missing which I haven't tried is
adding a Cisco - Terminate Session to the enforcment on the Guest Access Service as referenced in this post: http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/guest-account-expirationguest-account-expiration-with-clearpass/m-p/249351
If anyone has any other suggestions, or can confirm the Terminate Session is indeed what is required that would be great.
Thanks all.