AAA commands-aaa accounting update periodic or newinfo

Nikhil Jadhav · ‎04-14-2020

Hello ISE guys,

While i was configuring Global commands on Switch I came across the following.

Why does Cisco recommend "aaa accounting update newinfo periodic 2880" & why "aaa accounting update periodic 2880" command is not recommended? Because if 'newinfo' is just going to send new accounting updates which is very less likely to get sent if endpoint is always connected. So in that case even if switch has 'newinfo' command , ISE is more likely to remove the session for connected endpoint

Please respond as soon as possible.

Damien Miller · ‎04-14-2020

The recommendation is to use "aaa accounting update newinfo periodic 2880" because this actually performs both roles. The "newinfo" means that the switch will send an accounting update on any observed change, this is both good and bad. The "periodic 2880" results in the switch sending a interim accounting update regardless if the switch observes a change for the active session or not. The combination of these two operations results in the desired effect, ISE will maintain the active session because it is still receiving an interim update every 2 days (2880 minutes). ISE will maintain an active session for 5 days if it receives no interim or stop.

The 2880 value is not a hard requirement, depending on requirements of the deployment this can change and over the years the recommendation has shifted to 2880 being the general consensus. Regardless, low timers are not usually recommended, nor would anything beyond 5 days.

Taken from a Cisco guide on this;
"When the aaa accounting updatecommandis activated, the Cisco IOS XE software issues interim accounting records for all users on the system. If the newinfo keyword is used, interim accounting records are sent to the accounting server every time there is new accounting information to report. An example of this would be when Internet Protocol Control Protocol (IPCP) completes IP address negotiation with the remote peer. The interim accounting record includes the negotiated IP address used by the remote peer.

When aaa accounting updatecommand is used with the keyword periodic, interim accounting records are sent periodically as defined by the argument number. The interim accounting record contains all of the accounting information recorded for that user up to the time the interim accounting record is sent."

Nikhil Jadhav · ‎04-16-2020

Thank you for responding Damien,

My understanding for " aaa accounting update newinfo periodic 2880" command is that 'newinfo' enables the switch to send any accounting updates if any changes have been observed and the 'periodic 2880' is used to set the duration (2 days) after which the updates would be sent.

Now consider a scenario, where the endpoints connected to a switch may not have any changes in cdp,lldp or dhcp attributes which does not trigger the switch to send any new updates to ISE due to which the session in ISE would be removed after 5 days.

So, why would Cisco recommend the "aaa accounting update newinfo periodic 2880" command rather than "aaa accounting update periodic 2880"?

Damien Miller · ‎04-16-2020

@Nikhil Jadhav wrote:

Now consider a scenario, where the endpoints connected to a switch may not have any changes in cdp,lldp or dhcp attributes which does not trigger the switch to send any new updates to ISE due to which the session in ISE would be removed after 5 days.

So, why would Cisco recommend the "aaa accounting update newinfo periodic 2880" command rather than "aaa accounting update periodic 2880"?

The command "aaa accounting update newinfo periodic 2880" accomplishes two necessary things.

It sends changes as they happen so ISE can react appropriately, reprofiling and sending a COA for example.
It also forces the mandatory 2880 minute interim update to keep the session alive in ISE. Even if nothing changes as you described, it still sends this periodic check in.

If you use the command "aaa accounting update periodic 2880" without the "newinfo" keyword, then you lose the immediate updates that are part of item one above. This command would only perform updates at 2880 minutes.