09-07-2017 01:24 AM - edited 02-21-2020 10:33 AM
What exactly are we enabling when running the command (as an example)-
aaa accounting update periodic 3
Online it is stated -
"When used with the keyword periodic , interim accounting records are sent periodically as defined by the argument number. The interim accounting record contains all of the accounting information recorded for that user up to the time the accounting record is sent."
If we think in terms of tacacs for device access/administration, does this imply that accounting records are stored locally on the device then sent to the accounting server every 5 minutes?
Also- for the arguement newinfo - does this imply that as soon as a record is created, it is sent immediately to my accounting server?
09-07-2017 04:56 AM - edited 09-07-2017 04:58 AM
I don’t know if this will help you but related to Cisco ISE:
Interim RADIUS accounting messages are sent to ISE to notify that the sessions are still intact.
When ISE fails to receive a RADIUS accounting message for a prolonged period for a given endpoint, ISE removes that session from its session table. ISE does not remove the endpoint from the switch, which creates disconnect between the switch and ISE in terms of which sessions are active. This disconnect can also impact when the endpoint access needs to be reevaluated for any reason.
By default, ISE flushes out any sessions without Interim RADIUS accounting messages for 5 days for any authenticated sessions. By sending the periodic RADIUS accounting message to the ISE node less than 5 days, the switch ensures that the sessions are maintained on the ISE.
For Example if you set the periodic update to be 2880 ( aaa accounting update newinfo periodic 2880) then every 2 Days there will be new interim accounting update sent to ISE to provide two updates within 5 days in case one of the RADIUS Accounting packets failed to reach the ISE node.
Now the Question about whether the switch locally store accounting info, I think yes because in case of 802.1X and MAB there are live sessions maintained in the switch which keep track of the accounting session ID plus the probes that the switches collected regarding the endpoints through LLDP, DHCP, CDP or Device sensor (I might be wrong - it is just an opinion)
Here is a sample debug of an RADIUS Interim Accounting update
===============================================================================================================================
This is Radius Interim Accounting packet (Watchdog Packet) for session ID 0AF0021300002C3EDF42F9EC for port GigabitEthernet1/0/23
==================================================================================================================================
Jul 14 01:00:19: RADIUS/ENCODE(00000000):Orig. component type = Invalid
Jul 14 01:00:19: RADIUS(00000000): Config NAS IP: 10.10.2.50
Jul 14 01:00:19: RADIUS(00000000): Config NAS IPv6: ::
Jul 14 01:00:19: RADIUS(00000000): sending
Jul 14 01:00:19: RADIUS(00000000): Send Accounting-Request to 11.11.11.1:1813 onvrf(0) id 1646/147, len 726
Jul 14 01:00:19: RADIUS: authenticator BD AA DF A3 79 8F A4 39 - EB DB 2A 3E E2 AB 6A 01
Jul 14 01:00:19: RADIUS: Vendor, Cisco [26] 21
Jul 14 01:00:19: RADIUS: Cisco AVpair [1] 15 "lldp-tlv= "
Jul 14 01:00:19: RADIUS: Vendor, Cisco [26] 26
Jul 14 01:00:19: RADIUS: Cisco AVpair [1] 20 "lldp-tlv= "
Jul 14 01:00:19: RADIUS: Vendor, Cisco [26] 44
Jul 14 01:00:19: RADIUS: Cisco AVpair [1] 38 "lldp-tlv= "
Jul 14 01:00:19: RADIUS: Vendor, Cisco [26] 25
Jul 14 01:00:19: RADIUS: Cisco AVpair [1] 19 "lldp-tlv= "
Jul 14 01:00:19: RADIUS: Vendor, Cisco [26] 30
Jul 14 01:00:19: RADIUS: Cisco AVpair [1] 24 "lldp-tlv= "
Jul 14 01:00:19: RADIUS: Vendor, Cisco [26] 23
Jul 14 01:00:19: RADIUS: Cisco AVpair [1] 17 "lldp-tlv= "
Jul 14 01:00:19: RADIUS: Vendor, Cisco [26] 28
Jul 14 01:00:19: RADIUS: Cisco AVpair [1] 22 "lldp-tlv= "
Jul 14 01:00:19: RADIUS: Vendor, Cisco [26] 27
Jul 14 01:00:19: RADIUS: Cisco AVpair [1] 21 "lldp-tlv= "
Jul 14 01:00:19: RADIUS: Vendor, Cisco [26] 24
Jul 14 01:00:19: RADIUS: Cisco AVpair [1] 18 "dhcp-option= "
Jul 14 01:00:19: RADIUS: Vendor, Cisco [26] 24
Jul 14 01:00:19: RADIUS: Cisco AVpair [1] 18 "dhcp-option= "
Jul 14 01:00:19: RADIUS: Vendor, Cisco [26] 37
Jul 14 01:00:19: RADIUS: Cisco AVpair [1] 31 "dhcp-option= "
Jul 14 01:00:19: RADIUS: Vendor, Cisco [26] 26
Jul 14 01:00:19: RADIUS: Cisco AVpair [1] 20 "dhcp-option= "
Jul 14 01:00:19: RADIUS: Vendor, Cisco [26] 35
Jul 14 01:00:19: RADIUS: Cisco AVpair [1] 29 "dhcp-option= "
Jul 14 01:00:19: RADIUS: Vendor, Cisco [26] 33
Jul 14 01:00:19: RADIUS: Cisco AVpair [1] 27 "dhcp-option= "
Jul 14 01:00:19: RADIUS: Vendor, Cisco [26] 25
Jul 14 01:00:19: RADIUS: Cisco AVpair [1] 19 "dhcp-option= "
Jul 14 01:00:19: RADIUS: Framed-IP-Address [8] 6 10.24.88.31
Jul 14 01:00:19: RADIUS: User-Name [1] 19 "24-D9-21-3A-C9-80"
Jul 14 01:00:19: RADIUS: Vendor, Cisco [26] 49
Jul 14 01:00:19: RADIUS: Cisco AVpair [1] 43 "audit-session-id=0AF0021300002C3EDF42F9EC"
Jul 14 01:00:19: RADIUS: Vendor, Cisco [26] 18
Jul 14 01:00:19: RADIUS: Cisco AVpair [1] 12 "method=mab"
Jul 14 01:00:19: RADIUS: Called-Station-Id [30] 19 "18-E7-28-41-EB-17"
Jul 14 01:00:19: RADIUS: Calling-Station-Id [31] 19 "24-D9-21-3A-C9-80"
Jul 14 01:00:19: RADIUS: NAS-IP-Address [4] 6 10.10.2.50
Jul 14 01:00:19: RADIUS: NAS-Port-Id [87] 23 "GigabitEthernet1/0/23"
Jul 14 01:00:19: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
Jul 14 01:00:19: RADIUS: NAS-Port [5] 6 50123
Jul 14 01:00:19: RADIUS: Acct-Session-Id [44] 10 "0000B8BD"
Jul 14 01:00:19: RADIUS: Class [25] 55
Jul 14 01:00:19: RADIUS: 43 41 43 53 3A 30 41 46 30 30 32 31 33 30 30 30 [CACS:0AF00213000]
Jul 14 01:00:19: RADIUS: 30 32 43 33 45 44 46 34 32 46 39 45 43 3A 6E 61 [02C3EDF42F9EC:na]
Jul 14 01:00:19: RADIUS: 63 30 31 2F 32 38 39 30 33 39 38 30 38 2F 39 30 [c01/289039808/90]
Jul 14 01:00:19: RADIUS: 36 32 32 37 38 [ 62278]
Jul 14 01:00:19: RADIUS: Acct-Status-Type [40] 6 Watchdog [3]
Jul 14 01:00:19: RADIUS: Event-Timestamp [55] 6 1499979619
Jul 14 01:00:19: RADIUS: Acct-Input-Octets [42] 6 27811067
Jul 14 01:00:19: RADIUS: Acct-Output-Octets [43] 6 28218116
Jul 14 01:00:19: RADIUS: Acct-Input-Packets [47] 6 125744
Jul 14 01:00:19: RADIUS: Acct-Output-Packets [48] 6 125555
Jul 14 01:00:19: RADIUS: Acct-Delay-Time [41] 6 0
Jul 14 01:00:19: RADIUS(00000000): Sending a IPv4 Radius Packet
Jul 14 01:00:19: RADIUS(00000000): Started 10 sec timeout
08-19-2019 06:10 AM
Thank you for your useful reply.
May I conclude that
aaa accounting update newinfo periodic 1440
command will send and accounting interim-update once a day and a accounting update each time newinfo is triggered in spite of the configured timer?
Actually I need to manage regular users and computers that are re-authenticate once every 10 hours and other devices that are never re authenticated (session timeout = 0)
Regards
MM
08-19-2019 06:52 AM
08-19-2019 07:35 AM
08-22-2019 05:32 AM
From a switch-
SW1(config)#aaa account update ?
newinfo Only send accounting update records when we have new acct info.
Is there something I am missing? It would appear that using the newinfo keyword specifically does NOT send accounting records unless there is an update. This is particularly relevant for ISE.
08-22-2019 06:08 AM
You are right but
newinfo + periodic
on the same line will send both periodic updates and triggered ones.
Regards
MM
03-02-2023 01:51 PM
Hi Damien,
Based on your experience what would be the recommended value for a CWA Wireless Guest SSID network? I am using Meraki and ISE as Radius and looking for the best customized value. thanks
04-11-2023 07:37 AM
Hi Damien,
When we deployed F5 and ISE PSN's, we used the documentation provided by Cisco where the values were:
Source address – 180s
https_sticky – 3600s
radius_sticky – 3600s
Meraki Wireless default settings are configured as 10 minutes for interim accounting updates and I think it is too aggresive because our ISE deployment is getting hit by thousand of records every 10 min. In fact, Cisco ISE BU suggested to completely remove those updates and just rely on session timeout. I am wondering if I should adjust those F5 persistence values to something higher and the adjust accordingly the accounting interim updates as you suggested
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide