Solved: ISE doesn't terminate radius sessions after WLC becomes down

SMD28316 · ‎05-11-2021

I am trying to understand the following in ISE:

When a WLC becomes down, why doesn't ISE terminate the radius sessions associated with it?
The users of these sessions get blocked from authenticating again, and the error displayed in the authentication report is as the following:

22098 New user session not permitted. Max sessions user in group limit has been reached

Only after Increasing the MAX-SESSIONS number, the authentication is successful.

Why is that? Are the old radius sessions "stuck" in ISE and can't be released? shouldn't they be released automatically after the connection gets terminated with the WLC? Can't ISE recognize that the WLC is down and delete the stale sessions to re-authenticate?

thomas · ‎05-12-2021

First, because RADIUS is a stateless, request-response protocol. It runs on UDP.

Second, ISE does not actively monitor your network devices for their activity or health. ISE does not care if your network device reboots or goes away forever. It is not it's job to care about that.

Third, because that is how RADIUS Accounting works. ISE starts a session when it receives a RADIUS Accounting Start from the network device and ends the session upon receiving a RADIUS Accounting Stop. If the network device dies and cannot send a Stop or Interim accounting updates, it becomes stale.

ISE keeps sessions for 4 days then automatically clears any old, stale sessions.

Until then, if you have a bunch of zombie sessions that run over your Max Sessions number, you need to account for that if you reboot/maintain/unplug/lose network devices without gracefully ending your users' sessions.

View solution in original post

thomas · ‎05-12-2021

First, because RADIUS is a stateless, request-response protocol. It runs on UDP.

Second, ISE does not actively monitor your network devices for their activity or health. ISE does not care if your network device reboots or goes away forever. It is not it's job to care about that.

Third, because that is how RADIUS Accounting works. ISE starts a session when it receives a RADIUS Accounting Start from the network device and ends the session upon receiving a RADIUS Accounting Stop. If the network device dies and cannot send a Stop or Interim accounting updates, it becomes stale.

ISE keeps sessions for 4 days then automatically clears any old, stale sessions.

Until then, if you have a bunch of zombie sessions that run over your Max Sessions number, you need to account for that if you reboot/maintain/unplug/lose network devices without gracefully ending your users' sessions.

poongarg · ‎05-14-2021

On thing to add here about session management on ISE:

a. Sessions without accounting start (Authenticated) removed after 60 minutes,

b. Sessions with accounting stop (Terminated) removed after 15 minutes

c. Sessions in ‘Started’ state (MNT got accounting start) removed after 120 hours without Interim update.

Damien Miller · ‎05-14-2021

That's some great data, I was only aware of the 120 hour timer. Thanks @poongarg

Rodrigo Infanta · ‎06-08-2022

thanks for your post, we are currently going through the same situation where we configure the maximum session limit for 3 users in ise, in addition to this we configure the timeout of the profile associated with the ssid in the wlc with a time of 60 seconds, however Al At the time of disconnecting one of the devices from the Wi-Fi network, 60 seconds pass for the wlc to boot it, as in ise, if you try to connect the same or another new device to the Wi-Fi network again, the system indicates that the maximum session limit has been reached.

With this I understand that to ask to be shown when the session ended, it does not completely clean its records until after 4 days,
Is there a way to change this?

Thank you!!