Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4862
Views
19
Helpful
1
Replies

ISE License consumption monitoring when no radius accounting is used

Go to solution
Arne Bier
VIP
VIP

‎03-28-2017 09:31 PM

Hi

I have studied the ISE licensing consumption theory in Chapter 20 of the ISE 2.2 Admin Guide, but I still have a question about a particular use case.  What happens if a user is authenticated via Radius and authorised, but the NAD (for whatever reason) does not send any radius accounting records?

I have a customer who has written an in-house application that has a radius API for web portal authentication - they are presently using ACS 5.4 and want to migrate to ISE 2.2.    They have purchased a 100,000 Base license.

I am concerned that the ISE base licenses will increment after every successful AuthN/AuthZ, but ISE will never decrement the license usage because it has no idea when the session ended. Did I understand this correctly?

In analysing the customer's existing ACS system I have also seen instances where a NAD is sending more Accounting Stop's than Accounting Starts (bug?) - surely ISE must have some clever correlation mechanism that ensures that for every Accounting Start of SessionID-X, it will only decrement the license pool when Accounting Stop for that same SessionID-X is received - how does ISE ensure that it knows how to correlate the Accounting Start and Stop for a single session?

And lastly, what happens if ISE receives the Accounting Start, but due to UDP packet loss, the Accounting Stop is never received?  Will ISE ever release that license?  Is there some periodic license consumption clean-up that is done?

appreciate any replies on this

regards

Arne Bier

1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10

‎03-29-2017 05:10 AM

See excerpt from my Cisco Live session BRKSEC-3699 on automatic session management.  In short, ISE will clear sessions within 1 hr if not Accounting Start/Update.  Others will get cleared after 5 days of no activity.

Clearing Stale Sessions:

•   RADIUS Accounting is Primary method to maintain sessions – Start/Update/Stop!


    If RADIUS Accounting not sent (or not received due to network or PSN load drops), ISE will rely on Session Purge operation to clear stale sessions

•   Automatic Purge: A purge job runs approximately every 5 minutes to clear sessions that meet any of the following criterion:

    1. Endpoint disconnected (Ex: failed authentication) in the last 15 minutes (grace time allotted in case of authentication retries)

    2. Endpoint authenticated in last hour but no accounting start or update received

    3. Endpoint idle—no activity (authentication / accounting / posturing / profiling updates) in the last 5 days


    * Note: Session is cleared from MnT but does not generate CoA to prevent negative impact to connected endpoints.  In other words, MnT session is no longer visible but it is possible for endpoint to still have network access, but no longer consumes license.


•   Manual Purge via REST API: HTTP DELETE API can manually delete inactive sessions.


An example web utility that supports HTTP DELETE operation is cURLhttp://www.cisco.com/en/US/docs/security/ise/1.2/api_ref_guide/ise_api_ref_ch2.html#wp1072950

View solution in original post

1 Reply 1

Go to solution
Craig Hyps
Level 10
Level 10

‎03-29-2017 05:10 AM

See excerpt from my Cisco Live session BRKSEC-3699 on automatic session management.  In short, ISE will clear sessions within 1 hr if not Accounting Start/Update.  Others will get cleared after 5 days of no activity.

Clearing Stale Sessions:

•   RADIUS Accounting is Primary method to maintain sessions – Start/Update/Stop!


    If RADIUS Accounting not sent (or not received due to network or PSN load drops), ISE will rely on Session Purge operation to clear stale sessions

•   Automatic Purge: A purge job runs approximately every 5 minutes to clear sessions that meet any of the following criterion:

    1. Endpoint disconnected (Ex: failed authentication) in the last 15 minutes (grace time allotted in case of authentication retries)

    2. Endpoint authenticated in last hour but no accounting start or update received

    3. Endpoint idle—no activity (authentication / accounting / posturing / profiling updates) in the last 5 days


    * Note: Session is cleared from MnT but does not generate CoA to prevent negative impact to connected endpoints.  In other words, MnT session is no longer visible but it is possible for endpoint to still have network access, but no longer consumes license.


•   Manual Purge via REST API: HTTP DELETE API can manually delete inactive sessions.


An example web utility that supports HTTP DELETE operation is cURLhttp://www.cisco.com/en/US/docs/security/ise/1.2/api_ref_guide/ise_api_ref_ch2.html#wp1072950

Customers Also Viewed These Support Documents