Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3397
Views
1
Helpful
1
Replies

ISE user session question

Go to solution
Hongtao Xu
Cisco Employee
Cisco Employee

‎08-15-2017 12:45 AM

Hi, ISE expert.

Would like to ask a question about ISE concurrent user session.

customer use GGSN with ISE as radius authentication server , if our user get authenticated , does ISE keep the user sessions until the account stop message come ? or Do we have some approach to shorten the session keeping time ?

thanks

hongtao

1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10

‎08-15-2017 05:17 AM

Short answer is that RADIUS Accounting will trigger Start and Stop of session.  In lieu of RADIUS Accounting, other measures are taken to manage ISE sessions.  This topic is covered in BRKSEC-3699 session (see reference presentation on CiscoLive.com).  Here is excerpt:

Clearing Stale Sessions

  • RADIUS Accounting is Primary method to maintain sessions If RADIUS Accounting not sent (or not received due to network or PSN load drops), ISE will rely on Session Purge operation to clear stale sessions
     
  • Automatic Purge: A purge job runs approximately every 5 minutes to clear sessions that meet any of the following criterion:
    • Endpoint disconnected (Ex: failed authentication) in the last 15 minutes (grace time allotted in case of authentication retries)
    • Endpoint authenticated in last hour but no accounting start or update received
    • Endpoint idleno activity


Note: Session is cleared from MnT but does not generate CoA to prevent negative impact to connected endpoints.  In other words, MnT session is no longer visible but it is possible for endpoint to still have network access, but no longer consumes license.

  • Manual Purge via REST API: HTTP DELETE API can manually delete inactive sessions.

/Craig

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Craig Hyps
Level 10
Level 10

‎08-15-2017 05:17 AM

Short answer is that RADIUS Accounting will trigger Start and Stop of session.  In lieu of RADIUS Accounting, other measures are taken to manage ISE sessions.  This topic is covered in BRKSEC-3699 session (see reference presentation on CiscoLive.com).  Here is excerpt:

Clearing Stale Sessions

  • RADIUS Accounting is Primary method to maintain sessions If RADIUS Accounting not sent (or not received due to network or PSN load drops), ISE will rely on Session Purge operation to clear stale sessions
     
  • Automatic Purge: A purge job runs approximately every 5 minutes to clear sessions that meet any of the following criterion:
    • Endpoint disconnected (Ex: failed authentication) in the last 15 minutes (grace time allotted in case of authentication retries)
    • Endpoint authenticated in last hour but no accounting start or update received
    • Endpoint idleno activity


Note: Session is cleared from MnT but does not generate CoA to prevent negative impact to connected endpoints.  In other words, MnT session is no longer visible but it is possible for endpoint to still have network access, but no longer consumes license.

  • Manual Purge via REST API: HTTP DELETE API can manually delete inactive sessions.

/Craig

0 Helpful
Customers Also Viewed These Support Documents