03-27-2017 05:25 AM
Hi,
we are deploying a new PoC enviroment and we are running in a strange problem. It seems that counter for the active endpoints is not incrementing.
Scenario:
3 nodes of ISE in PAN failover running version 2.2 and an external web server with the scope to create guest user using API integration.
When the guest user is authenticated from guest DB on ISE, we are able to see the authentication session on ISE from "Operation --> Radius --> Live Logs and Live Session", but under "Context Visibility -- Endpoints -- Authentication" all endpoints are in disconnected or null status.
I can also see that the session status in Live session tab is always setted in "Started" or "Terminated" value.
Is anybody experiencing the same our problem? Is status session correct or we should have different value?
Best Regards
Andrea Tornaghi
Solved! Go to Solution.
03-29-2017 04:33 AM
Chyps, you answer is correct. The problem was on WLC side. I enabled the RADIUS Server Accounting Interim update and everything is working fine.
03-28-2017 07:30 AM
RADIUS Accounting is how ISE tracks the sessions and performs licensing counts.
I suspect that you are not sending RADIUS Accounting information from your NADs to ISE.
aaa accounting dot1x default start-stop group ISE-Group
Please see our How To: Universal IOS Switch Config for ISE under ISE Design & Integration Guides for the full details about how to configure AAA Accounting on a switch with ISE.
IF it persists, verify you are using a validated version of NAD software from the Cisco Identity Services Engine Network Component Compatibility, Release 2.2 - Cisco
03-28-2017 09:43 AM
if, on ISE, I go in Operations -- Reports -- Endpoint and Users -- RADIUS Accounting I am able to see some logs from Accounting process (you can find an example below).
My NAD is WLC 5508 running version 8.2.130, and on SSID I have configured as accounting servers all PSN nodes in the same order of authentication servers.
I checked also that Accounting is enabled in Logging Categories List and it is collecting logs from LogCollector and LogCollector2.
Ex.
11004 Received RADIUS Accounting-Request
11017 RADIUS created a new session
15049 Evaluating Policy Group
15008 Evaluating Service Selection Policy
15004 Matched rule
22083 User/group session counters incremented on accounting start
11005 Returned RADIUS Accounting-Response
03-28-2017 01:27 PM
Be sure to enable the RADIUS Server Accounting > Interim Update checkbox but set Interim Interval to 0.
03-29-2017 04:33 AM
Chyps, you answer is correct. The problem was on WLC side. I enabled the RADIUS Server Accounting Interim update and everything is working fine.
03-30-2017 10:07 AM
Craig doesn’t need to be told when he is right…it’s just assumed .
10-02-2018 05:01 AM
Hello Gents,
Got exactly the same problem.
My WLC is 8.0.152 and there is no indication for RADIUS>Accounting there will be any Interim Update checkbox. Might my firmware to old, what do you think ?
Regards,
lkajcsu01
10-02-2018 07:10 AM
The interim accounting setting is under each WLAN. Go to WLAN -> Select WLAN and edit -> Security -> AAA Servers.
02-25-2019 08:24 AM
Hi Thomas,
can this command be used with Tacacs+ instead of Radius as well?
aaa accounting dot1x default start-stop group TACACS-Server-GROUP
Thank you
Jochen
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide