cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

4484
Views
10
Helpful
8
Replies
AndreaTornaghi
Beginner

Active Endpoint Counter

Hi,

we are deploying a new PoC enviroment and we are running in a strange problem. It seems that counter for the active endpoints is not incrementing.

Scenario:

3 nodes of ISE in PAN failover running version 2.2 and an external web server with the scope to create guest user using API integration.

When the guest user is authenticated from guest DB on ISE, we are able to see the authentication session on ISE from "Operation --> Radius --> Live Logs and Live Session", but under "Context Visibility -- Endpoints -- Authentication" all endpoints are in disconnected or null status.

I can also see that the session status in Live session tab is always setted in "Started" or "Terminated" value.

Is anybody experiencing the same our problem? Is status session correct or we should have different value?

Best Regards

Andrea Tornaghi

1 ACCEPTED SOLUTION

Accepted Solutions

Chyps, you answer is correct. The problem was on WLC side. I enabled the RADIUS Server Accounting Interim update and everything is working fine.

View solution in original post

8 REPLIES 8
thomas
Cisco Employee

RADIUS Accounting is how ISE tracks the sessions and performs licensing counts.

I suspect that you are not sending RADIUS Accounting information from your NADs to ISE.

    aaa accounting dot1x default start-stop group ISE-Group

Please see our How To: Universal IOS Switch Config for ISE under ISE Design & Integration Guides for the full details about how to configure AAA Accounting on a switch with ISE.


IF it persists, verify you are using a validated version of NAD software from the Cisco Identity Services Engine Network Component Compatibility, Release 2.2 - Cisco

if, on ISE, I go in Operations -- Reports -- Endpoint and Users -- RADIUS Accounting I am able to see some logs from Accounting process (you can find an example below).

My NAD is WLC 5508 running version 8.2.130, and on SSID I have configured as accounting servers all PSN nodes in the same order of authentication servers.

I checked also that Accounting is enabled in Logging Categories List and it is collecting logs from LogCollector and LogCollector2.

Ex.

11004  Received RADIUS Accounting-Request

11017 RADIUS created a new session

15049 Evaluating Policy Group

15008 Evaluating Service Selection Policy

15004  Matched rule

22083 User/group session counters incremented on accounting start

11005 Returned RADIUS Accounting-Response

Be sure to enable the RADIUS Server Accounting > Interim Update checkbox but set Interim Interval to 0.

Chyps, you answer is correct. The problem was on WLC side. I enabled the RADIUS Server Accounting Interim update and everything is working fine.

Craig doesn’t need to be told when he is right…it’s just assumed .

Hello Gents, 

 

Got exactly the same problem.

My WLC is 8.0.152 and there is no indication for RADIUS>Accounting there will be any Interim Update checkbox. Might my firmware to old, what do you think ?

 

Regards, 

lkajcsu01

 

 

 

 

The interim accounting setting is under each WLAN. Go to WLAN -> Select WLAN and edit -> Security -> AAA Servers.

Hi Thomas,

 

can this command be used with Tacacs+ instead of Radius as well?

 

  aaa accounting dot1x default start-stop group TACACS-Server-GROUP

 

Thank you

Jochen

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube