Solved: Re: ISE active sessions with no interim accounting support

andrewswanson · ‎03-14-2018

Hi

I'm running into an issue with interim accounting and ISE. I have WS-C3650-48PD (03.07.05E) NADs doing 802.1x/MAB with ISE 2.3 patch 2.

802.1x/MAB works fine but the ISE Active Endpoint total always looks a little on the low side. The NADs are configured to send interim accounting updates to ISE but after doing some debugs it looks like the NADs aren't sending any accounting packets to ISE other than start/stop.

I found the following forum post which states that bug CSCux75319 applies to 3650/3850s:

https://supportforums.cisco.com/t5/cisco-bug-discussions/cscux75319-support-for-periodic-accounting-on-3850-switches/td-p/2921423

It looks like ISE is not receiving any interim accounting packets for connected clients so ISE is gradually clearing these sessions. In the absence of interim accounting, is the best option to enable periodic re-authentication of clients?

Thanks
Andy

andrewswanson · ‎07-26-2018

Worked through this with TAC (for the testing I used an eval ISE 2.3 patch 3 – the authenticator switch used was a WS-C3650-48PD). We found the following behaviour with different ios versions and interim accounting enabled “aaa accounting update periodic 2”

03.07.05E – switch “debug radius accounting” shows no interim accounting packets sent – only start/stop. TAC said there were no plans to fix interim accounting for 3.7.X.
03.06.08E – switch “debug radius accounting” shows interim accounting packets being sent at the time intervals specified. TAC gave the bug id for this fix as CSCus21944 – although the notes for this bug only mention 4506/4510 models
16.3.6 – I have a number of WS-C3650-48FQM switches running this ios on the production network and they also don’t send interim accounting packets – only start/stop. TAC said that interim accounting is resolved in 16.9.1 – I don’t have a bug id for this and I haven’t tested this release myself.

With the cat3k (running 03.06.08E) now sending interim accounting to ISE I found the following:

ISE doesn't display accounting interim update packets on its reports page (Operations > Reports > Endpoint and Users > RADIUS Accounting) even though the switch sends interim updates and the switch receives a response from ISE.
When I do an endpoint debug on ISE (Operations > Diagnostic Tools > Endpoint Debug) I can see ISE receiving interim updates for a given client.

TAC confirmed that this is due to “bug” CSCve85449 – this behaviour is to prevent ISE getting overwhelmed with accounting packets. Although interim accounting doesn’t appear in ISE reports, ISE still uses the interim accounting packets to keep Active Endpoints up to date.

Cheers

Andy

View solution in original post

Mohammed al Baqari · ‎03-15-2018

Re-authentication should be one in this case. It won't harm if you set the
timers correctly as recommended by Cisco. If I recall from CLUS the were @
3600

andrewswanson · ‎03-15-2018

Thanks for the reply. I'll contact TAC in the first instance to confirm that the 3650s have an issue with interim accounting before looking at implementing re-authentication timers.

Andy

ayden_beeson86 · ‎04-19-2018

Hey Andy,

Did you ever find out from the TAC what the go was here? We are using 3850's and having the same issue, we were running 3.7.5, but we have bumped some to 16.3.5b/16.3.6 and I'm seeing the same behaviour there.

I'd like to avoid turning on reauth timers if possible as well.....

andrewswanson · ‎04-19-2018

Hi Ayden

I'm working with TAC on this just now. They requested a TCPdump from the psn node to confirm ISE wasn't receiving any interim updates from the 3650s. The capture confirmed that the switches only send start/stop. I'll keep thread updated.

Cheers

Andy

ayden_beeson86 · ‎04-19-2018

Thanks Andy,

Keep me posted, let me know if you need another site with similar results!

Cheers,

Ayden

snir_orlanczyk · ‎07-03-2018

Hi,

I'm having the exact same issue, do you have any prograss in your case ?
Thanks,
Snir

andrewswanson · ‎07-03-2018

Hi

Not as yet. I'm still working with TAC on this. They responded through my Cisco partner that they couldn't replicate this issue with the same switch model/ios - I'm not sure if they were using new style ibns 2.0 config on their test. I'll keep the thread updated with any progress.

Andy

andrewswanson · ‎07-26-2018

Worked through this with TAC (for the testing I used an eval ISE 2.3 patch 3 – the authenticator switch used was a WS-C3650-48PD). We found the following behaviour with different ios versions and interim accounting enabled “aaa accounting update periodic 2”

03.07.05E – switch “debug radius accounting” shows no interim accounting packets sent – only start/stop. TAC said there were no plans to fix interim accounting for 3.7.X.
03.06.08E – switch “debug radius accounting” shows interim accounting packets being sent at the time intervals specified. TAC gave the bug id for this fix as CSCus21944 – although the notes for this bug only mention 4506/4510 models
16.3.6 – I have a number of WS-C3650-48FQM switches running this ios on the production network and they also don’t send interim accounting packets – only start/stop. TAC said that interim accounting is resolved in 16.9.1 – I don’t have a bug id for this and I haven’t tested this release myself.

With the cat3k (running 03.06.08E) now sending interim accounting to ISE I found the following:

ISE doesn't display accounting interim update packets on its reports page (Operations > Reports > Endpoint and Users > RADIUS Accounting) even though the switch sends interim updates and the switch receives a response from ISE.
When I do an endpoint debug on ISE (Operations > Diagnostic Tools > Endpoint Debug) I can see ISE receiving interim updates for a given client.

TAC confirmed that this is due to “bug” CSCve85449 – this behaviour is to prevent ISE getting overwhelmed with accounting packets. Although interim accounting doesn’t appear in ISE reports, ISE still uses the interim accounting packets to keep Active Endpoints up to date.

Cheers

Andy

ayden_beeson86 · ‎08-20-2018

Thanks Andy that is awesome.

We have recently updated to 16.8.1a (and soon to 16.9.1, its in QA) and it looks to be fixed there, the few we are running those versions on are now sending accounting interim updates correctly.

Great news all around.

andrewswanson · ‎08-21-2018

Thanks for that Ayden. I'm testing 16.9.1 at the moment and interim accounting works as expected - interesting to know it also works with 16.8.1a

Cheers

Andy

Garry Cross · ‎10-22-2018

Installed 16.9.1 on 3850 and getting Interim accounting.

I requested Cisco update the bug ID and list the broken and fixed versions, and add the bug to the release notes.

One thing is now getting interim updates way more often than we should with either of these statements.

aaa accounting update periodic 240

aaa accounting update periodic newinfo 240

eg for the same endpoint

11:05:24 AM
10:58:23 AM
10:39:38 AM
10:34:36 AM
10:29:21 AM
10:23:28 AM
10:12:51 AM
10:08:53 AM

Damien Miller · ‎10-22-2018

If you debug the radius accounting packets for this endpoint, are the message details changing? "newinfo" obviously won't follow the 240 minute interim timer that is set. One example, I've seen NADs send sub second changes because it is seeing two ip's on the same MAC.

It would be interesting to see what is changing in the acct packets that is forcing the update, if anything.

Garry Cross · ‎10-22-2018

Can't seem to figure out how to do debug aaa accounting on 16.9.1 and get output.

I watch an engineer once and he did some stuff and used show platform software trace message smd switch active R0, but I can't seem to get what he got.

Anyway a capture shows that sometimes the update contains a Framed IP and sometimes it doesn't. Otherwise the only difference is in the bytes and packets, timestamp etc.

Regards.