topic endpoint Session ID does not contain NAS address but only zeros in Network Access Control

endpoint Session ID does not contain NAS address but only zeros

ssschunk1 — Mon, 11 Mar 2019 06:44:50 GMT

I cannot tell if there is any impact, but I have noticed that the session IDs for my endpoints only have 0's at the beginning where the guide says they should be the NAS hex version of its IP address. Am I missing something in my setup that would omit this from being added into the session-id?

Thanks for any guidance that can be provided.

sh auth sess int gi2/27 det
          Interface: GigabitEthernet2/27
          MAC Address: 2c59.e5bb.7908
           IPv6 Address: Unknown
           IPv4 Address: 10.203.169.133
              User-Name: xyxxyxll<--my loginid
                Status: Authorized
                    Domain: DATA
       Oper host mode: multi-auth
     Oper control dir: both
      Session timeout: N/A
    Common Session ID: 000000000000210300449BA4 <-- Leading 0's where NAS address should be???
      Acct Session ID: 0x00004995
               Handle: 0xA3000B9C
       Current Policy: POLICY_Gi2/27

Hard to say without seeing

Joseph Johnson — Sat, 07 May 2016 01:16:12 GMT

Hard to say without seeing your switch config. Do you have aaa session-id common configured?

The short answer is: yes, aaa

ssschunk1 — Sat, 07 May 2016 02:52:22 GMT

The short answer is: yes, aaa session-id common is in the config. below is the complete aaa config

aaa new-model
aaa group server radius ISE-Prod
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authentication dot1x default group ISE-Prod
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization network default group ISE-Prod
aaa accounting dot1x default start-stop group ISE-Prod
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa server radius dynamic-author
aaa session-id common

When you said, 'Do you have

ssschunk1 — Wed, 25 May 2016 14:56:18 GMT

When you said, 'Do you have aaa session-id common configured?'

Did you mean this command in the config?

Is there a radius attribute that I should add to get the info added into the Session ID?

I have it in the config, so I'm assuming there is a radius attribute missing? I have these already:

radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include

I read about this one: but do not see it in ISE docs as needed:

radius-server attribute 44 include-in-access-req <-- cant tell if it does anything ...doesn't change the session ID .