Re: Cisco ISE Radius Accounting logs for network switches

Bhaskar Dussa · ‎07-30-2019

I had setup of Cisco network Switch/Routers & Cisco ISE in network. Cisco ISE is used only for wireless users authentication.

Now my new requirement is to do only accounting Radius logs on Cisco ISE. Authentication & Authorization should be accessed via local credentials.

Arne Bier · ‎07-31-2019

Hi

If I were you, I'd check whether you are even able to configure any Cisco NAS (WLC or otherwise) to only send RADIUS Accounting? I don't think so. And what is the NAS supposed to send when you don't have a RADIUS session created ? RADIUS Sessions are created only after a successful RADIUS Authentication has occurred.

If there is no concept of authentication (using RADIUS or TACACS AAA), then how do you define the start and end of a session?

Damien Miller · ‎07-31-2019

"Misconfigured" WLC's will send radius accounting to ISE even if there is no RADIUS servers defined on the WLAN. If you enable radius on the WLAN without setting up radius servers, they send accounting to the servers defined in the global config. A customer of mine ended up with 4.7 millions endpoints (mostly guest) in the context visibility database that way.

Otherwise I agree, don't think it would accomplish the requirement.

Nidhi · ‎07-31-2019

Can you elaborate what is the intent behind using only accounting ?

Thanks,

Nidhi

Bhaskar Dussa · ‎08-01-2019

Hi Nidhi,

We already have PIM to login any network switch/router which uses device local credentials to login. So i don't want to change existing setup.