Solved: Re: Cisco IBNS 2.0 keep accounting session a live

colahinka · ‎01-23-2022

Hi,

We've implemented a dot1x in our organization.

We are using user authentication for the endpoint devices ( Win/Macintosh ) .

We've notice that if there is an endpoint that authenticated long time a go ( lets say about 14 days ) , we cannot see his authentication properties at our NAC side.

Is there any procedure that we can make in our switches to keep that session a live ?

Sending any accounting updates which keep the session consistent until the host is disconnected?

Switch Models:

1) Cisco 2960X

2) Cisco C9200L

Thanks! .

Rob Ingram · ‎01-23-2022

What aaa accounting configuration have you configured on your switches?

You can specify the switch to send accounting information to ISE at endpoint session start and end events:

SWI(config)#aaa accounting identity default start-stop group ISE

And configure the switch to send periodic accounting updates for active sessions once every two days:

SWI(config)#aaa accounting update newinfo periodic 2880

Refer to the ISE wired prescriptive guide:

https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

View solution in original post

Rob Ingram · ‎01-23-2022

What aaa accounting configuration have you configured on your switches?

You can specify the switch to send accounting information to ISE at endpoint session start and end events:

SWI(config)#aaa accounting identity default start-stop group ISE

And configure the switch to send periodic accounting updates for active sessions once every two days:

SWI(config)#aaa accounting update newinfo periodic 2880

Refer to the ISE wired prescriptive guide:

https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515