cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3709
Views
11
Helpful
5
Replies

AAA accounting update periodic

scott.hull91821
Level 1
Level 1

I'd like to create periodic updates from my 2960x 15.2(2)E7 device to my Cisco ISE server. I am wondering if the global level command needs to work in conjunction with some interface level commands and if so what. My desired end goal is to be able to send periodic accounting packets to the Server without interface level configuration needing to be applied.

 

aaa accounting update periodic 5

 

interface g1/0/1

switchport mode access

switchport access vlan X

end

 

Will the device ever send an interim packet to the server if all other configuration regarding that process is configured correctly. I have a need to put images on brand new computers over the network without authenticating the MACs of those devices first. I have to strip dot1x off of these "imaging ports" to make this possible but I'd still like the server to get some information about these devices so that said information is available when/if I decide to tell the server that the device in question may access the network through a dot1x enabled port.

 

Bonus: This ability would give my server the ability to see information about devices connected to non dot1x ports on my network that I might not know about and thus would help me to secure the network by addressing those ports on a case by case basis.

 

Am I dreaming or is this possible?

 

Thanks

Scott.

1 Accepted Solution

Accepted Solutions

Damien Miller
VIP Alumni
VIP Alumni
Don't use aaa accounting update periodic 5 as this means 5 minute updates, it's a bad design to have the interval that short. You could get away with it in small environments but it causes scaling issues.

ISE can handle an update interval as high as 5 days, so we typically use 24 or 48 hour intervals to keep the session active on ISE. If load balancers are involved, you need to keep the update interval below the persistence timeout.

As for if this works without dot1x, someone else can comment on that as I don't know.

View solution in original post

5 Replies 5

Nadav
Level 7
Level 7

You don't need an interface-level command. The global one is fine.

Damien Miller
VIP Alumni
VIP Alumni
Don't use aaa accounting update periodic 5 as this means 5 minute updates, it's a bad design to have the interval that short. You could get away with it in small environments but it causes scaling issues.

ISE can handle an update interval as high as 5 days, so we typically use 24 or 48 hour intervals to keep the session active on ISE. If load balancers are involved, you need to keep the update interval below the persistence timeout.

As for if this works without dot1x, someone else can comment on that as I don't know.

hi @Damien Miller ,

Is there any document about this matter which states that ISE accounting behavior stores in in 5 days. I think 5 days is so long, can we change it like a day? Thanks

Hi Damien Miller, 

Do we have any document reference saying that ISE - keep session for 5 days

Yes this is documented and the timers cannot be changed within ISE.

Session Removal from the Directory
Sessions are cleaned from the session directory on the Monitoring and Troubleshooting node as follows:
Terminated sessions are cleaned 15 minutes after termination.
If there is authentication but no accounting, then such sessions are cleared after one hour.
All inactive sessions are cleared after five days.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_011001.html#ID562
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: