Solved: Interim-Update account status type in Radius accounting report

sot01 · ‎02-23-2022

Currently we noticed that our MAB device account status type in Radius accounting report display only Interim-Update status.

So, what is the cause of this message? Is there any issue in the future?

Arne Bier · ‎03-03-2022

Hello @sot01

This could be quite normal for wired networks where the devices are always plugged in to the NAC enabled switch, and the switch as a command that sends interim updates at regular intervals - the recommended Cisco Switch config below would send an update every 2880 minutes (48 hours)

aaa accounting update newinfo periodic 2880

If a device is connected to a NAC switch, then the switch should send a RADIUS Accounting-Start to ISE

If a device is disconnected from a NAC switch, then the switch should send a RADIUS Accounting-Stop to ISE

aaa accounting identity default start-stop group ISE-GROUP-NAME

View solution in original post

Arne Bier · ‎03-03-2022

Hello @sot01

This could be quite normal for wired networks where the devices are always plugged in to the NAC enabled switch, and the switch as a command that sends interim updates at regular intervals - the recommended Cisco Switch config below would send an update every 2880 minutes (48 hours)

aaa accounting update newinfo periodic 2880

If a device is connected to a NAC switch, then the switch should send a RADIUS Accounting-Start to ISE

If a device is disconnected from a NAC switch, then the switch should send a RADIUS Accounting-Stop to ISE

aaa accounting identity default start-stop group ISE-GROUP-NAME

thomas · ‎03-05-2022

See ISE Secure Wired Access Prescriptive Deployment Guide for recommended AAA/RADIUS Accounting server settings.

aaa new-model
aaa session-id common
!
radius server ISE01
 address ipv4 172.20.254.21 auth-port 1812 acct-port 1813
 automate-tester username test-user ignore-acct-port probe-on
 key ISEisC00L
!
radius server ISE02
 address ipv4 172.20.254.22 auth-port 1812 acct-port 1813
 automate-tester username test-user ignore-acct-port probe-on
 key ISEisC00L
!
username test-user password 0 test-password
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail mac-only
radius-server dead-criteria time 10 tries 3
radius-server deadtime 15
!
aaa group server radius ISE
 server name ISE01
 server name ISE02
 ip radius source-interface Vlan254
!
aaa authentication dot1x default group ISE
aaa authorization network default group ISE 
aaa accounting update newinfo periodic 2880
aaa accounting dot1x default start-stop group ISE
!
aaa server radius dynamic-author
 client 172.20.254.21 server-key ISEisC00L
 client 172.20.254.22 server-key ISEisC00L

See How to Ask The Community for Help for providing suffiicient details to the community experts to help you narrow down and reproduce the problem.

ajc · ‎03-02-2023

Hi Thomas, Do you have a similar document for Wireless?

A Meraki Wireless Support engineer said that Meraki AP's (authenticators) are expecting those accounting interim updates coming from ISE but I think he is wrong based on the documentation I have read. in particular from the link you provided for example, we have the following where clearly the NAD like the Meraki AP is the one sending periodically accounting updates. In particular, I am looking for some information regarding accounting interim updates for CWA using Meraki-ISE for Guest SSID and clarify what's the best value I should use. Meraki AP has an accounting interim interval of 10 minute.

Configure the switch to send periodic accounting updates for active sessions once every two days:

c9300-Sw(config)#aaa accounting update newinfo periodic 2880

Note: After a network access session of an endpoint is logged to ISE, it stays there for 5-days without any additional accounting updates. In order to keep the session active on ISE, a periodic accounting update once every two days is a best practice.