Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3472
Views
10
Helpful
3
Replies

Interim update on guest SSID

Go to solution
jayage
Level 1
Level 1

‎04-14-2019 10:23 AM

Hi guys,

 

We followed the following doc for guest access with ISE and WLC.

https://community.cisco.com/t5/security-documents/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475?attachment-id=164022

 

At "Configure a Guest WLAN (SSID)" it is not shown if the "Interim Update" should be enabled.

 

I guess it is needed for CoA (after 5 days), right?

 

Thank you

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎04-15-2019 04:51 AM

No sure what you mean by "needed for CoA after 5 days".

 

If your NAS has the ability to send Radius Accounting Interim-Updates then  you should do so.  How frequently?  Well that depends on how many Sessions the NAS's are maintaining.  e.g. On a Cisco WLC's you can set Interim-Update to 0sec (in 8.x and later) and it will only send Interims when something changes (e.g. Radius profiling or DHCP IP address change).  Failing that, then a 24 hour update period seems reasonable.  It all has to do with granularity of licensing utilisation and visibility of sessions in general.  ISE won't fail if your NAS doesn't send Accounting updates (whether start/stop/interim) but it will skew your license usage because ISE has no way to update the counts.  And without Accounting in general you won't have any visibility into Session usage on ISE.

Perhaps the 5 days you were referring to was the time that ISE will maintain a license usage count - if after 5 days it has not received an accounting record then it will release the license back to the pool.

View solution in original post

Go to solution
jayage
Level 1
Level 1
In response to Arne Bier

‎04-15-2019 06:13 AM

I found the information about the 5 days here:

https://community.cisco.com/t5/security-documents/top-six-important-cisco-wlc-settings-for-ise-integration/ta-p/3643795

 

Section:

Interim RADIUS Accounting Settings under WLANs

Phrase: "If ISE fails to receive interim accounting message for an endpoint session beyond 5 days, ISE will stop maintaining the session."

 

Make sense that license will be freed then..

 

One last question for my understanding - on our ISE dashboard is a default widget at metrics showing the "authenticated guests" which is at 105 at the moment but WLC shows 603 clients. I could imagine that it should show the same amount. Am I wrong or is ISE maybe missing some information? Maybe as interim is not enabled for that SSID or due to other misconfiguration?

 

Thanks!

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Arne Bier
VIP
VIP

‎04-15-2019 04:51 AM

No sure what you mean by "needed for CoA after 5 days".

 

If your NAS has the ability to send Radius Accounting Interim-Updates then  you should do so.  How frequently?  Well that depends on how many Sessions the NAS's are maintaining.  e.g. On a Cisco WLC's you can set Interim-Update to 0sec (in 8.x and later) and it will only send Interims when something changes (e.g. Radius profiling or DHCP IP address change).  Failing that, then a 24 hour update period seems reasonable.  It all has to do with granularity of licensing utilisation and visibility of sessions in general.  ISE won't fail if your NAS doesn't send Accounting updates (whether start/stop/interim) but it will skew your license usage because ISE has no way to update the counts.  And without Accounting in general you won't have any visibility into Session usage on ISE.

Perhaps the 5 days you were referring to was the time that ISE will maintain a license usage count - if after 5 days it has not received an accounting record then it will release the license back to the pool.

Go to solution
jayage
Level 1
Level 1
In response to Arne Bier

‎04-15-2019 06:13 AM

I found the information about the 5 days here:

https://community.cisco.com/t5/security-documents/top-six-important-cisco-wlc-settings-for-ise-integration/ta-p/3643795

 

Section:

Interim RADIUS Accounting Settings under WLANs

Phrase: "If ISE fails to receive interim accounting message for an endpoint session beyond 5 days, ISE will stop maintaining the session."

 

Make sense that license will be freed then..

 

One last question for my understanding - on our ISE dashboard is a default widget at metrics showing the "authenticated guests" which is at 105 at the moment but WLC shows 603 clients. I could imagine that it should show the same amount. Am I wrong or is ISE maybe missing some information? Maybe as interim is not enabled for that SSID or due to other misconfiguration?

 

Thanks!

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to jayage

‎04-15-2019 11:07 AM

You should have a session timeout configured on your SSIDs.  That will maintain your live session logs. I think the reason is your # of guest on the home screen is different than the WLC is just a function of how ISE is looking at the guests.  When your guests sign onto the portal and connect they show up as an authenticated guest, but after that you should be using the identity group mapped to guest type.  So the second time they authenticate the authentication is strictly MAB and not an authenticated guest.

Customers Also Viewed These Support Documents