Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5661
Views
26
Helpful
4
Replies

Cisco ISE 3.1 - Terminate existing 802.1x Endpoint Session

Go to solution
latenaite2011
Level 4
Level 4

‎10-18-2022 06:42 PM

Does anyone know how to terminate an existing endpoint authenticated session in Cisco ISE so that we can try to re-authenticate the laptop again to see the Radius Live logs without having to wait until the timer expires?  ISE is running version 3.1x and tried going to Context Visibility -> Endpoints -> selected the endpoint mac address and hit delete and ISE says successful but still no Radius live logs after trying to retest 802.1x machine and user authentication again (tried shut/no shut the switch interface port).

Thanks in advance,LN

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎10-18-2022 10:40 PM

Instead of deleting the endpoint, you can perform a re-auth in Context Visibility, or in Live Sessions. That only works is ISE has an active session for that endpoint. A session is maintained in ISE as long as ISE receives regular RADIUS accounting data from the NAS (as a kind of session keepalive).

When you delete an endpoint from Context Visibility, then it will also send a CoA Disconnect to the NAS to kill the session. That's the theory. In some cases ISE might not have a session for that endpoint - and if ISE doesn't have an active session, then the CoA won't be sent.  It means that the endpoint gets deleted - and that's it. You would then have to log into the NAS and manually manipulate the session - if it's a switch, then a "clear access-session" or "shut / no shut" is required).

 

View solution in original post

Go to solution
latenaite2011
Level 4
Level 4
In response to Marcelo Morais

‎10-29-2022 08:01 AM

Thank you Marcelo and Arne both for the suggestions. Sorry didn't see this last response but it could be related. thanks!

View solution in original post

4 Replies 4

Go to solution
Arne Bier
VIP
VIP

‎10-18-2022 10:40 PM

Instead of deleting the endpoint, you can perform a re-auth in Context Visibility, or in Live Sessions. That only works is ISE has an active session for that endpoint. A session is maintained in ISE as long as ISE receives regular RADIUS accounting data from the NAS (as a kind of session keepalive).

When you delete an endpoint from Context Visibility, then it will also send a CoA Disconnect to the NAS to kill the session. That's the theory. In some cases ISE might not have a session for that endpoint - and if ISE doesn't have an active session, then the CoA won't be sent.  It means that the endpoint gets deleted - and that's it. You would then have to log into the NAS and manually manipulate the session - if it's a switch, then a "clear access-session" or "shut / no shut" is required).

 

Go to solution
ajc
Level 7
Level 7
In response to Arne Bier

‎10-25-2023 06:39 AM

Hi Arne,

I found that ISE has a 5 days session timeout in another post so I am wondering if that is the reason because I still see 8K active sessions as per our API Call even though we move all our wireless network to a different ISE deployment (newer version).

thanks

 

0 Helpful

Go to solution
Marcelo Morais
VIP
VIP

‎10-20-2022 08:11 AM

Hi @latenaite2011 ,

 you said " ... tried shut/no shut the switch interface port ... ", the shut/no shut should work, also the clear authentication sessions (mentioned by @Arne Bier), in this situation, please take a look at: CSCup71561 Dot1x Session struck in "U" state

Symptom:
After a Wired Dot1x Client is disconnected from the switchport, the session is stuck and cannot be cleared.

Hope this helps !!!

Go to solution
latenaite2011
Level 4
Level 4
In response to Marcelo Morais

‎10-29-2022 08:01 AM

Thank you Marcelo and Arne both for the suggestions. Sorry didn't see this last response but it could be related. thanks!

Customers Also Viewed These Support Documents