04-16-2015 02:22 AM - edited 03-10-2019 10:38 PM
Hi all
We are deploying ISE 1.3 in our network but is not clear for us how the license consumption mechanism is handled by ISE.
I saw in the administration guide that in ISE 1.3 a license is consumed for every active user, and license consumption relies on the attributes used in the authorization policy with which the endpoint is matched.
In ISE 1.2 licensing data sheet it is said that the consumption relies on RADIUS accounting functions to track concurrent endpoints (ISE uses RADIUS
accounting “start” and “stop” messages to determine when network sessions begin and end), but I didn't found any confirmation on that regarding ISE 1.3.
My question is: if I don't enable Radius accouting on the NAD, how ISE determines when the network session is ended and so when it releases the license for that user?
I ask this because during the tests we saw different behaviour; sometimes the session was considered ended and so the license was correctly released, but sometimes the user was considered active also hour later after it left the network, and his license was not correctly released
Thanks
Marco
Solved! Go to Solution.
04-16-2015 03:11 AM
ISE monitoring node has a session directory to track
endpoints active on the network.
Automatic Purge: A purge job runs approximately every 5 minutes to clear
sessions that meet any of the following criterion:
1.Endpoint disconnected (Ex: failed authentication) in the last 15 minutes
(grace time allotted in case of authentication retries)
2.Endpoint authenticated but no accounting start or update received in the last
hour
3.Endpoint idle—no activity (authentication / accounting / posturing /
profiling updates) in the last 5 days
04-16-2015 03:11 AM
ISE monitoring node has a session directory to track
endpoints active on the network.
Automatic Purge: A purge job runs approximately every 5 minutes to clear
sessions that meet any of the following criterion:
1.Endpoint disconnected (Ex: failed authentication) in the last 15 minutes
(grace time allotted in case of authentication retries)
2.Endpoint authenticated but no accounting start or update received in the last
hour
3.Endpoint idle—no activity (authentication / accounting / posturing /
profiling updates) in the last 5 days
04-16-2015 06:25 AM
Hi Venkatesh
Thank you very much for the clarification.
So does it means that if accounting is not enabled an authenticated endopoint is automatically purged from the active users after 1 hour and his session is terminated?
Best Regards
Marco
04-17-2015 04:07 AM
yes If a endpoint is authenticated and if no accounting is received then its automatically purged
04-17-2015 07:19 AM
Thank you very much for your precious support
Regards
Marco
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide