Solved: ISE 2.4p2 Session statuses stuck in "Started" state with IBNS2.0

tommy182 · ‎08-16-2018

Hello Friends!

We faced with a strange behaviour of ISE 2.4 patch2

In a live session table we have session status Start for every session.

But sessions is complete authen\author process. And stay in Authorized state on switch, but in Start state on ISE.

It looks like some accounting problem we have, but under Reports>Endpoint&User>Radius Accounting we see all necessary accounting messages Start\Interim-Update\Stop.

Maybe it`s because we use IBNS2.0 instead of legacy configuratiion.

Is it normal for IBNS2.0 with simultanious MAB and Dot1X under policy?

There is my policy-map config

policy-map type control subscriber IDENTITY-PM
 event session-started match-all
  10 class always do-until-failure
   10 authenticate using dot1x priority 10
   20 authenticate using mab priority 20
 event authentication-failure match-first
  10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
   5 clear-authenticated-data-hosts-on-port
   10 activate service-template CRITICAL_AUTH_VLAN
   20 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
   25 activate service-template CRITICAL-ACCESS
   30 authorize
   40 pause reauthentication
  20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
   10 pause reauthentication
   20 authorize
  30 class DOT1X_NO_RESP do-until-failure
   10 terminate dot1x
  40 class MAB_FAILED do-until-failure
   10 terminate mab
   20 authentication-restart 60
  50 class DOT1X_FAILED do-until-failure
   10 terminate dot1x
   20 authenticate using mab priority 20
  60 class always do-until-failure
   10 terminate dot1x
   20 terminate mab
   30 authentication-restart 60
 event agent-found match-all
  10 class always do-until-failure
   10 terminate mab
   20 authenticate using dot1x priority 10
 event aaa-available match-all
  10 class IN_CRITICAL_AUTH do-until-failure
   10 clear-session
  20 class NOT_IN_CRITICAL_AUTH do-until-failure
   10 resume reauthentication
 event authentication-success match-all
  10 class always do-until-failure
   10 activate service-template INACTIVITY-TIMER
 event inactivity-timeout match-all
  10 class always do-until-failure
   10 unauthorize
 event violation match-all
  10 class always do-until-failure
   10 restrict

Thanks in advance

Tom

hslai · ‎09-01-2018

Nothing wrong with "Started" at all. This means ISE received a RADIUS accounting start for the session.

View solution in original post

paul · ‎08-16-2018

Well if it helps at least you see something in your Live Sessions. I have an escalated TAC case to figure out why I don't see anything. Mine started in patch 1, but patch 2 didn't fix anything in this regards.

tommy182 · ‎08-17-2018

Hi Paul!

Actually in Live Logs all looks fine, authorization profile aplied.

But in Live Session all sessions still mark as Started..

Looks weird)

Thanks,

Artem

hslai · ‎09-01-2018

Nothing wrong with "Started" at all. This means ISE received a RADIUS accounting start for the session.

tommy182 · ‎09-10-2018

Thanks, it`s really make sense)