cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

193
Views
10
Helpful
3
Replies
Beginner

Interim update on guest SSID

Hi guys,

 

We followed the following doc for guest access with ISE and WLC.

https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475?attachment-id=164022

 

At "Configure a Guest WLAN (SSID)" it is not shown if the "Interim Update" should be enabled.

 

I guess it is needed for CoA (after 5 days), right?

 

Thank you

2 ACCEPTED SOLUTIONS

Accepted Solutions
VIP Advocate

Re: Interim update on guest SSID

No sure what you mean by "needed for CoA after 5 days".

 

If your NAS has the ability to send Radius Accounting Interim-Updates then  you should do so.  How frequently?  Well that depends on how many Sessions the NAS's are maintaining.  e.g. On a Cisco WLC's you can set Interim-Update to 0sec (in 8.x and later) and it will only send Interims when something changes (e.g. Radius profiling or DHCP IP address change).  Failing that, then a 24 hour update period seems reasonable.  It all has to do with granularity of licensing utilisation and visibility of sessions in general.  ISE won't fail if your NAS doesn't send Accounting updates (whether start/stop/interim) but it will skew your license usage because ISE has no way to update the counts.  And without Accounting in general you won't have any visibility into Session usage on ISE.

Perhaps the 5 days you were referring to was the time that ISE will maintain a license usage count - if after 5 days it has not received an accounting record then it will release the license back to the pool.

Beginner

Re: Interim update on guest SSID

I found the information about the 5 days here:

https://community.cisco.com/t5/security-documents/top-six-important-cisco-wlc-settings-for-ise-integration/ta-p/3643795

 

Section:

Interim RADIUS Accounting Settings under WLANs

Phrase: "If ISE fails to receive interim accounting message for an endpoint session beyond 5 days, ISE will stop maintaining the session."

 

Make sense that license will be freed then..

 

One last question for my understanding - on our ISE dashboard is a default widget at metrics showing the "authenticated guests" which is at 105 at the moment but WLC shows 603 clients. I could imagine that it should show the same amount. Am I wrong or is ISE maybe missing some information? Maybe as interim is not enabled for that SSID or due to other misconfiguration?

 

Thanks!

3 REPLIES 3
VIP Advocate

Re: Interim update on guest SSID

No sure what you mean by "needed for CoA after 5 days".

 

If your NAS has the ability to send Radius Accounting Interim-Updates then  you should do so.  How frequently?  Well that depends on how many Sessions the NAS's are maintaining.  e.g. On a Cisco WLC's you can set Interim-Update to 0sec (in 8.x and later) and it will only send Interims when something changes (e.g. Radius profiling or DHCP IP address change).  Failing that, then a 24 hour update period seems reasonable.  It all has to do with granularity of licensing utilisation and visibility of sessions in general.  ISE won't fail if your NAS doesn't send Accounting updates (whether start/stop/interim) but it will skew your license usage because ISE has no way to update the counts.  And without Accounting in general you won't have any visibility into Session usage on ISE.

Perhaps the 5 days you were referring to was the time that ISE will maintain a license usage count - if after 5 days it has not received an accounting record then it will release the license back to the pool.

Beginner

Re: Interim update on guest SSID

I found the information about the 5 days here:

https://community.cisco.com/t5/security-documents/top-six-important-cisco-wlc-settings-for-ise-integration/ta-p/3643795

 

Section:

Interim RADIUS Accounting Settings under WLANs

Phrase: "If ISE fails to receive interim accounting message for an endpoint session beyond 5 days, ISE will stop maintaining the session."

 

Make sense that license will be freed then..

 

One last question for my understanding - on our ISE dashboard is a default widget at metrics showing the "authenticated guests" which is at 105 at the moment but WLC shows 603 clients. I could imagine that it should show the same amount. Am I wrong or is ISE maybe missing some information? Maybe as interim is not enabled for that SSID or due to other misconfiguration?

 

Thanks!

VIP Engager

Re: Interim update on guest SSID

You should have a session timeout configured on your SSIDs.  That will maintain your live session logs. I think the reason is your # of guest on the home screen is different than the WLC is just a function of how ISE is looking at the guests.  When your guests sign onto the portal and connect they show up as an authenticated guest, but after that you should be using the identity group mapped to guest type.  So the second time they authenticate the authentication is strictly MAB and not an authenticated guest.