Answered：

one of the most common operational tasks is managing the guest wireless experience. A seamless connection is expected, but what happens when guests are forced to re-authenticate every few days? This can lead to user frustration and an increase in helpdesk tickets.

Recently, a community member described this exact scenario: a guest network using Meraki MR access points, a Meraki concentrator, and Cisco Identity Services Engine (ISE) 3.1 for authentication. Users could connect successfully, but after exactly three days, they would lose internet access while still appearing connected to the Wi-Fi. The only fix was to “forget” the network and start the authentication process all over again.

Let’s break down this common problem, explore the likely causes, and walk through a step-by-step guide to configure the guest session duration to meet your organization’s policies.

The Scenario at a Glance

• Infrastructure: Meraki MR Wireless, Meraki Concentrator, Cisco ISE 3.1
• Authentication: Central Web Authentication (CWA) for guests.
• The Problem: A consistent 3-day session limit, after which users lose connectivity and must manually re-authenticate.
• Initial Questions: Is this caused by client-side MAC Address Randomization? Or is there a session timer that can be adjusted in ISE?

Diagnosing the Root Cause: Why 3 Days?

This type of fixed-duration issue is almost always a configured policy, not a random bug. In an ISE-driven guest environment, the “session” is controlled by several timers and policies working together. The 3-day limit is a strong clue. Here are the most likely culprits, from most to least probable.

1. ISE Endpoint Purge Policy (For “Remember Me” Scenarios)

If your guest portal is a simple splash page with an “Accept” button (without a unique username/password for each guest), ISE is likely using a “remember me” function. It works like this:

• A guest connects and accepts the terms.
• ISE authorizes the connection and places the device’s MAC address into a specific endpoint identity group (e.g., GuestEndpoints).
• On subsequent connections, ISE sees the MAC address is already in this group and automatically grants access without showing the portal again.

The problem arises from ISE’s database maintenance. The Endpoint Purge Policy is designed to remove stale or inactive endpoints to keep the database clean. If this policy is configured to purge endpoints from the GuestEndpoints group after 3 days, the device’s MAC address is deleted. The next time the device connects, ISE no longer recognizes it, and the user is forced back to the portal.

2. Guest Account Lifecycle (For Sponsored or Self-Registered Guests)

If your guests receive unique credentials (e.g., from a sponsor or through self-registration), each account has a defined lifecycle. This is controlled by the Guest Type in ISE. It’s highly probable that the default or configured Guest Type has an “Account Duration” set to 3 days. Once the account expires, the credentials are no longer valid, forcing a re-authentication.

3. Authorization Profile Timers

While less likely to be the root cause for this specific symptom (which requires “forgetting” the network), the Authorization Profile contains session control attributes. The most relevant is the Reauthentication Timer. An authorization profile can be configured to force re-authentication after a certain period. However, this usually results in a smoother CWA redirect rather than a complete loss of internet that requires forgetting the network.

4. MAC Address Randomization: A Complicating Factor, Not the Cause

The user correctly asked about random MAC addresses. This feature, common in modern mobile operating systems, can complicate “remember me” functions. If a device connects with a different MAC address each day, it will be treated as a new device and sent to the portal every time.

However, it is not the cause of a consistent 3-day timeout. The 3-day limit implies the same MAC address was successfully used for three days before its identity or account expired in ISE.

The Solution: A Step-by-Step Configuration Guide

Before you begin, it’s crucial to follow the advice from the forum: First, make a decision on your policy. How long should a guest have access? Should there be an idle timeout? Once you have defined your requirements, you can configure ISE accordingly.

Step 1: Check the Guest Type Account Duration

If you are using sponsored or self-registered guest portals, this is the first place to look.

1. In the Cisco ISE GUI, navigate to Work Centers > Guest Access > Configure > Guest Types.
2. Select the Guest Type you are using for your guest portal (e.g., Contractor, Daily Guest).
3. In the Guest Type settings, look for the Account Creation section.
4. Check the value for Maximum account duration. It is likely set to 3 days.
5. Adjust this value to match your organization’s policy (e.g., 7 days, 30 days).
6. Click Save.

Step 2: Adjust the Endpoint Purge Policy

If you are using a simple click-through splash page with a “remember me” function, this is your most likely solution.

1. In the Cisco ISE GUI, navigate to Administration > Identity Management > Settings > Endpoint Purge.
2. Enable the purge policy if it isn’t already.
3. Review the rules. You will likely see a rule that purges endpoints belonging to a specific identity group (e.g., GuestEndpoints) after a set number of days.
4. If a rule is set to purge your guest group after 3 days, select it and click Edit.
5. Change the Purge Endpoints older than value to a more suitable duration (e.g., 30 Days). This means ISE will “remember” the guest device’s MAC address for 30 days of inactivity before purging it.
6. Click Save.

Step 3: Review the Authorization Profile

As a final check, ensure no conflicting timers are set in the Authorization Profile that grants guests network access.

1. Navigate to Policy > Policy Elements > Results.
2. Expand the Authorization section and click on Authorization Profiles.
3. Find the profile used to grant access to your guests after they authenticate on the portal.
4. In the profile settings, under Common Tasks, check the Reauthentication timer. Ensure Reauthentication every is either not configured or is set to a value that aligns with your policy. For most guest workflows, session control is better managed via account lifecycle or endpoint purge, not forced reauthentication.
5. Also check the Session Timeout attribute under Advanced Attributes Settings. This value is sent as a RADIUS attribute (Termination-Action) and tells the network access device (your Meraki AP/Concentrator) to terminate the session after a set time. This should also align with your overall guest policy.

A Note on MAC Address Randomization

While not the cause of the 3-day timeout, it’s a critical factor for a good guest experience. Meraki has excellent documentation on this topic: Meraki and MAC Address Randomization. The best practice is to inform users that for a seamless, multi-day experience, they should connect to the Guest SSID using their “Device MAC” address if their mobile OS provides that option.

Conclusion

A consistent, timed-out session on a guest network is a clear sign of a configured policy. By systematically investigating the Guest Type, the Endpoint Purge Policy, and the Authorization Profile within Cisco ISE, you can easily identify the 3-day limit and adjust it. By aligning these settings with your organization’s security and usability requirements, you can provide a stable and predictable Wi-Fi experience for your guests.