Solved: Re: ISE Radius Timeout

fatalXerror · ‎06-17-2019

Hi Guys,

I would like to know if there is a RADIUS timeout value for ISE? For example, if my endpoint got authenticated and authorized, does the endpoint to ISE have session expiry?

Thanks

Damien Miller · ‎06-17-2019

The interim accounting updates are the switch or WLC letting ISE know that the endpoint is still authenticated to it. If no details change, then the NAD is just providing that "continue monitoring the session" type of update to ISE. Accounting radius packets are also sent if something changes with an endpoint details, ISE will refresh the inactivity timer.

If you don't have any accounting enabled in the environment, and an endpoint is connected for 5+ days without reauth, then ISE will treat it as a new authentication rather than a continuation of the session. The authentication remains valid on the NAD though, ISE just won't show it as a session though. ISE drops (stops monitoring) the session, but it doesn't kill the session on the NAD.

View solution in original post

Damien Miller · ‎06-17-2019

Two components to this. First, the time to complete authentication from the ISE side is 120 seconds, I would consider this the RADIUS timeout for ISE.

Second half of your question. If you authenticate an endpoint, but then provide no further accounting updates (stop or interim), then ISE will consider it an inactive session after 5 days and drop it. This does not mean the session ends on the NAD, ISE just stops considering it an active session. This would be the ISE session expiry/inactivity. If you provide RADIUS interim accounting updates at least once every 5 days, then the session will remain tracked by ISE.
Configuration guides/examples vary on RADIUS accounting interim update times, I've seen as low as 5 minutes, but typically we aim for 1440 or 2880 minutes. The interim update time is often driven by what the load balancer team will allow for persistence. If you run load balancing in the environment, you want the interim accounting updates to arrive before the LB times out the persistence, ex LB persists for 60 minutes, send interim updates at 55 minutes.

fatalXerror · ‎06-17-2019

Hi @Damien Miller , thanks for the feedback.

This accounting updates that you stated, what are these updates can you give an example?

In addition, if ISE drop the session, the user will need to do authentication again, right?

Thanks

Damien Miller · ‎06-17-2019

The interim accounting updates are the switch or WLC letting ISE know that the endpoint is still authenticated to it. If no details change, then the NAD is just providing that "continue monitoring the session" type of update to ISE. Accounting radius packets are also sent if something changes with an endpoint details, ISE will refresh the inactivity timer.

If you don't have any accounting enabled in the environment, and an endpoint is connected for 5+ days without reauth, then ISE will treat it as a new authentication rather than a continuation of the session. The authentication remains valid on the NAD though, ISE just won't show it as a session though. ISE drops (stops monitoring) the session, but it doesn't kill the session on the NAD.

fatalXerror · ‎06-20-2019

Hi @Damien Miller,

Thanks for the feedback.

I did some research further about this matter and I found out the "authentication timer reauthentication <seconds | server>". Based on my understanding, it seems to be that this command is related to the one that you are stating, am I correct?

It seems that this timer is somehow the radius session timeout, if no reauthentication occurs meaning no accounting to be sent to ISE otherwise, NAD will reauth the endpoint to the ISE which means session is still active, am I correct to say that?

Based on documentation, default reauth is 3600 seconds.

Thanks