cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

485
Views
0
Helpful
5
Replies

AAA accounting update periodic

I'd like to create periodic updates from my 2960x 15.2(2)E7 device to my Cisco ISE server. I am wondering if the global level command needs to work in conjunction with some interface level commands and if so what. My desired end goal is to be able to send periodic accounting packets to the Server without interface level configuration needing to be applied.

 

aaa accounting update periodic 5

 

interface g1/0/1

switchport mode access

switchport access vlan X

end

 

Will the device ever send an interim packet to the server if all other configuration regarding that process is configured correctly. I have a need to put images on brand new computers over the network without authenticating the MACs of those devices first. I have to strip dot1x off of these "imaging ports" to make this possible but I'd still like the server to get some information about these devices so that said information is available when/if I decide to tell the server that the device in question may access the network through a dot1x enabled port.

 

Bonus: This ability would give my server the ability to see information about devices connected to non dot1x ports on my network that I might not know about and thus would help me to secure the network by addressing those ports on a case by case basis.

 

Am I dreaming or is this possible?

 

Thanks

Scott.

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advocate

Re: AAA accounting update periodic

Don't use aaa accounting update periodic 5 as this means 5 minute updates, it's a bad design to have the interval that short. You could get away with it in small environments but it causes scaling issues.

ISE can handle an update interval as high as 5 days, so we typically use 24 or 48 hour intervals to keep the session active on ISE. If load balancers are involved, you need to keep the update interval below the persistence timeout.

As for if this works without dot1x, someone else can comment on that as I don't know.
5 REPLIES 5
Rising star

Re: AAA accounting update periodic

You don't need an interface-level command. The global one is fine.

VIP Advocate

Re: AAA accounting update periodic

Don't use aaa accounting update periodic 5 as this means 5 minute updates, it's a bad design to have the interval that short. You could get away with it in small environments but it causes scaling issues.

ISE can handle an update interval as high as 5 days, so we typically use 24 or 48 hour intervals to keep the session active on ISE. If load balancers are involved, you need to keep the update interval below the persistence timeout.

As for if this works without dot1x, someone else can comment on that as I don't know.
Explorer

Re: AAA accounting update periodic

hi @Damien Miller ,

Is there any document about this matter which states that ISE accounting behavior stores in in 5 days. I think 5 days is so long, can we change it like a day? Thanks

Beginner

Re: AAA accounting update periodic

Hi Damien Miller, 

Do we have any document reference saying that ISE - keep session for 5 days

Highlighted
VIP Advocate

Re: AAA accounting update periodic

Yes this is documented and the timers cannot be changed within ISE.

Session Removal from the Directory
Sessions are cleaned from the session directory on the Monitoring and Troubleshooting node as follows:
Terminated sessions are cleaned 15 minutes after termination.
If there is authentication but no accounting, then such sessions are cleared after one hour.
All inactive sessions are cleared after five days.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_011001.html#ID562