ISE user session question

Hongtao Xu — Tue, 15 Aug 2017 07:45:21 GMT

Hi, ISE expert.

Would like to ask a question about ISE concurrent user session.

customer use GGSN with ISE as radius authentication server , if our user get authenticated , does ISE keep the user sessions until the account stop message come ? or Do we have some approach to shorten the session keeping time ?

thanks

hongtao

Re: ISE user session question

Craig Hyps — Tue, 15 Aug 2017 12:17:25 GMT

Short answer is that RADIUS Accounting will trigger Start and Stop of session. In lieu of RADIUS Accounting, other measures are taken to manage ISE sessions. This topic is covered in BRKSEC-3699 session (see reference presentation on CiscoLive.com). Here is excerpt:

Clearing Stale Sessions

RADIUS Accounting is Primary method to maintain sessions –If RADIUS Accounting not sent (or not received due to network or PSN load drops), ISE will rely on Session Purge operation to clear stale sessions
Automatic Purge: A purge job runs approximately every 5 minutes to clear sessions that meet any of the following criterion:
- Endpoint disconnected (Ex: failed authentication) in the last 15 minutes (grace time allotted in case of authentication retries)
- Endpoint authenticated in last hour but no accounting start or update received
- Endpoint idle—no activity

Note: Session is cleared from MnT but does not generate CoA to prevent negative impact to connected endpoints. In other words, MnT session is no longer visible but it is possible for endpoint to still have network access, but no longer consumes license.

Manual Purge via REST API: HTTP DELETE API can manually delete inactive sessions.

/Craig

topic Re: ISE user session question in Network Access Control

ISE user session question

Re: ISE user session question