Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
382
Views
0
Helpful
2
Replies

Profiling data removed with RADIUS Stop received

Go to solution
paul
Level 10
Level 10

‎09-17-2018 07:37 AM - edited ‎09-17-2018 07:38 AM

In a previous post on using the IP in profiles, I learned from Craig that the IP address is removed from the endpoint when a RADIUS stop is received by ISE.  So devices profiled using IPs will revert to some other profile, causing them to get reprofiled again when they reconnect.  Given the current no CoA sent on reprofile bug this makes using IP addresses in profiling a problem.

 

I am wondering what other data is removed when a stop is received.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎09-18-2018 09:44 AM

Paul,

 

Radius start and stop are in general used for licensing purpose.

If it is a MAB + profiling session and if ISE receives RADIUS stop, the session is cleared and the license consumed by the endpoint will be released. If the endpoint license is released it cant consume a base/plus license unless it reauthenticates again. For that purpose we have an interim accounting update that you can turn on periodically so that if you dont receive a accounting stop for a long time, ISE will still retain the session. It will not clear the session. You can also configure reauthentication timers with session timeout and termination action attribute that will determine how the session will behave at the end of reauthentication timer.

 

Thanks

Krishnan

 

 

 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎09-18-2018 09:44 AM

Paul,

 

Radius start and stop are in general used for licensing purpose.

If it is a MAB + profiling session and if ISE receives RADIUS stop, the session is cleared and the license consumed by the endpoint will be released. If the endpoint license is released it cant consume a base/plus license unless it reauthenticates again. For that purpose we have an interim accounting update that you can turn on periodically so that if you dont receive a accounting stop for a long time, ISE will still retain the session. It will not clear the session. You can also configure reauthentication timers with session timeout and termination action attribute that will determine how the session will behave at the end of reauthentication timer.

 

Thanks

Krishnan

 

 

 

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to kthiruve

‎09-18-2018 09:56 AM

Krishnan,



Understood on the normal role of the RADIUS messages, but the fact that IP address information was removed from the endpoint with the RADIUS stop accounting packet comes in was news to me. I verified this in my lab testing This cause a device to be reprofiled if you are using the IP address as a profiling condition. I was wondering if there are any other attributes cleared when a stop message is received.



I always set reauthentication timers on all my wired rules.



Thanks for the feedback.


0 Helpful
Customers Also Viewed These Support Documents