https://community.cisco.com/t5/network-access-control/profiling-data-removed-with-radius-stop-received/m-p/3708145#M493078 <P>In a previous post on using the IP in profiles, I learned from Craig that the IP address is removed from the endpoint when a RADIUS stop is received by ISE.&nbsp; So devices profiled using IPs will revert to some other profile, causing them to get reprofiled again when they reconnect.&nbsp; Given the current no CoA sent on reprofile bug this makes using IP addresses in profiling a problem.</P> <P>&nbsp;</P> <P>I am wondering what other data is removed when a stop is received.</P> Mon, 17 Sep 2018 14:38:13 GMT paul 2018-09-17T14:38:13Z https://community.cisco.com/t5/network-access-control/profiling-data-removed-with-radius-stop-received/m-p/3708145#M493078 <P>In a previous post on using the IP in profiles, I learned from Craig that the IP address is removed from the endpoint when a RADIUS stop is received by ISE.&nbsp; So devices profiled using IPs will revert to some other profile, causing them to get reprofiled again when they reconnect.&nbsp; Given the current no CoA sent on reprofile bug this makes using IP addresses in profiling a problem.</P> <P>&nbsp;</P> <P>I am wondering what other data is removed when a stop is received.</P> Mon, 17 Sep 2018 14:38:13 GMT https://community.cisco.com/t5/network-access-control/profiling-data-removed-with-radius-stop-received/m-p/3708145#M493078 paul 2018-09-17T14:38:13Z https://community.cisco.com/t5/network-access-control/profiling-data-removed-with-radius-stop-received/m-p/3708949#M493084 <P>Paul,</P> <P>&nbsp;</P> <P>Radius start and stop are in general used for licensing purpose.</P> <P>If it is a MAB + profiling session and if ISE receives RADIUS stop, the session is cleared and the license consumed by the endpoint will be released. If the endpoint license is released it cant consume a base/plus license unless it reauthenticates again. For that purpose we have an interim accounting update that you can turn on periodically so that if you dont receive a accounting stop for a long time, ISE will still retain the session. It will not clear the session. You can also configure reauthentication timers with session timeout and termination action attribute that will determine how the session will behave at the end of reauthentication timer.</P> <P>&nbsp;</P> <P>Thanks</P> <P>Krishnan</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 18 Sep 2018 16:44:44 GMT https://community.cisco.com/t5/network-access-control/profiling-data-removed-with-radius-stop-received/m-p/3708949#M493084 kthiruve 2018-09-18T16:44:44Z https://community.cisco.com/t5/network-access-control/profiling-data-removed-with-radius-stop-received/m-p/3708956#M493089 Krishnan,<BR /><BR /><BR /><BR />Understood on the normal role of the RADIUS messages, but the fact that IP address information was removed from the endpoint with the RADIUS stop accounting packet comes in was news to me. I verified this in my lab testing This cause a device to be reprofiled if you are using the IP address as a profiling condition. I was wondering if there are any other attributes cleared when a stop message is received.<BR /><BR /><BR /><BR />I always set reauthentication timers on all my wired rules.<BR /><BR /><BR /><BR />Thanks for the feedback.<BR /><BR /><BR /> Tue, 18 Sep 2018 16:56:44 GMT https://community.cisco.com/t5/network-access-control/profiling-data-removed-with-radius-stop-received/m-p/3708956#M493089 paul 2018-09-18T16:56:44Z