IDM enhancement regarding use policy acceptance

  • 2
  • Idea
  • Updated 4 years ago
  • Under Consideration
I have a number of customers requesting a feature as follows:

Customer users ID Manager to create PPSK guest users both for "daily" access and longer term (e.g. contractor) access.

In both instances, they would like the user to have to accept an Acceptable Use Policy, but only the first time they use their credentials.

This could be achieved as follows:

User authenticates via RADSEC to IDM using a PPSK. IDM returns a RADIUS attribute indicating whether this is the user's first authentication. If so, the user is directed to a captive portal to accept the AUP. Once accepted, an API call is made into IDM to mark the user as having accepted the AUP. On subsequent connections, the captive portal is bypassed and the user is given direct access.

The reasons for this feature request are:

1. Customer does not want to use the self-registration IDM feature as they do not want users to have to authenticate via a CWP each time they connect (due to the usual issues with session timeouts and problems with some devices and CWP).
2. Customer wants to use WPA2/PPSK to ensure traffic is encrypted in the air.
3. Customer does not want an policy acceptance CWP to be presented every time the user logs on for the same reasons as 1.

An alternative, though less desirable, option would be to have a registration SSID that works like the current IDM self-reg SSID in 6.1r2+, but that allows self-registration for a PPSK. The user then uses this PPSK to connect via a second SSID. Not ideal as two SSIDs required.
Photo of Roberto Casula

Roberto Casula, Champ

  • 231 Posts
  • 111 Reply Likes

Posted 4 years ago

  • 2
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
This is similar to a proposal that I have heard from the Product Manager responsible for IDM. I will make sure that she sees this, and perhaps she can respond here.
Photo of Roberto Casula

Roberto Casula, Champ

  • 231 Posts
  • 111 Reply Likes
Thanks Mike. It's something I've thrown around before in discussions with Phil Keeley, so maybe it's trickled up the chain before - but I've just had a couple of customers badgering me about it so thought I'd put it up here to so the powers that be can see there is a genuine customer demand, not just some whinging partner ;)