Solved: Accouting logs issue in Cisco ISE

keshavjan · ‎10-12-2022

We have Cisco ISE deployed in our enterprise environment for Authentication, Authorization and Accounting. But other than Cisco devices, none of the OEM devices like Juniper, HP, Huawei etc., accounting logs are not showing in ISE. However, Accounting configuration is present in all device's configuration.

Is there need to create profile for all the devices in ISE for populating accounting logs for the devices?

poongarg · ‎10-14-2022

Check for Vendor specific configuration guide to confirm if it supports command accounting or not. In general login accounting must be working for these vendor devices.

View solution in original post

Arne Bier · ‎10-12-2022

Hello @keshavjan ,

Are you looking for RADIUS Accounting in the Operations > Reports > Reports > Endpoint and Users >RADIUS Accounting?

Even a Cisco IOS device is quite particular when configuring RADIUS accounting - not sure about the complexity involved in configuring the RADIUS Accounting - but I would do the following:

Enable Start and Stop Accounting to send Accounting Start and Stop requests to ISE when a new NAC session is started or terminated.

Enable Interim Accounting Updates - this is required to keep the ISE sessions alive - try to aim for every 24 hours.

You should also perform a TCPdump on ISE PSN and then connect a device to the switch to observe what RADIUS traffic is sent by the switch. Does it send RADIUS accounting and does ISE receive it (as seen in tcpdump)? ISE should respond to that request - if it does not then ISE believes the session does not exist.

Multi-Vendor might be tricky if you don't use the Vendor Device Profiles. Have you tagged the NAS devices with such Profiles? Cisco ISE provides a few common vendor platforms. They are tailored according to differences in RADIUS attributes and UDP ports (e.g. CoA is 3799 for most vendors , but 1700 for Cisco). Also check that you are sending RADIUS accounting to ISE on UDP/1813

Start with a debug on the switch to witness the Account request being sent out, and then run a tcpdump on ISE to see the packet come in, and respond.

I have noticed one weird bug in ISE when the CoA is not working (i.e. when it's not configured on the switch) - the result is that the session is correctly authorized, but you will see no entry in Live Logs - as soon as you fix the CoA config on the switch and try again, you will see the entire auth process. Ensure that your switches are configured to allow ISE to send it a CoA (dynamic authorization) on whatever UDP port applies to that vendor's product. If it's not UDP/1700 then you must use a Vendor Device Profile.

keshavjan · ‎10-12-2022

I am asking for TACACS accounting not RADIUS accounting. In my environment, ISE is only being used as AAA server.

When I check logs for network devices other than cisco in ISE ( Operation > Reports > Tacacs Command Authorization), nothing shows related command accounting. But for Cisco, everything shows.

ahollifield · ‎10-13-2022

What are your other NADs? Do you have command authorization enabled on those NADs? Note that not all NADs support TACACS+ command authorization.

poongarg · ‎10-14-2022

Check for Vendor specific configuration guide to confirm if it supports command accounting or not. In general login accounting must be working for these vendor devices.