Because SES-Guest is an open SSID for guest. By default, all network connections are set to obtain IP addresses automatically.
Normally, an guest could finished the logon process in a certain period(5mins or 10mins).and after authentication accepted , the user role will be set from "guest-logon" to "guest".
So only following cases , the user will be disconnected.
1. Authorized devices been connected before but not being used at the moment.
2. Unauthorized devices trying to connect SES-Guest but cannot pass the Web-Authorization.
(We only have specified a C segment(192.168.x.x) to Guest network resulting a hypothetical situation, If enough devices with malicious intent connecting as "guest-logon" will cause DHCP exhaustion.)
And my thinking is refer to the "Age" column to kick users off rather than process the command line"aaa user delete role guest-logon" in a certain period(30mins or 1 hour). <-- Also could showing the administrator an currently active users' list.
So the polling of connect & disconnect is acceptable.