Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2044
Views
5
Helpful
1
Replies

Re-authorization for MAB

Go to solution
k.khussainov
Level 1
Level 1

‎07-22-2020 07:18 AM - edited ‎07-22-2020 07:22 AM

Hey. I have noticed that over time, endpoints using MAB appear in the ISE as inactive. How to set up an authorization profile correctly to keep the data of the active device up to date? Are there best practices for re-authorizing MAB devices? Can you explain what happens to a session if the session timeout is not specified in the authorization profile? (Currently configured like this) I can pass attributes 27 with a value of 28800 and 29 with a default value. Am I correct in understanding that after the 8 hour interval has elapsed, the active session will end and the switch will immediately send a radius request for re-authentication? Is it correct to use these attributes to update endpoint activity data?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎07-22-2020 08:37 AM

If the MAB endpoint appears as inactive in ISE but you know it is still conection and has a session on the switch, then you might be missing the interim accounting configuration. The live sesison in ISE would have likely hit the five day timeout without any update which results in ISE believing it has dropped from the network.

The typical scenario here for these long lived authentication sessions is the switch sends an interim accounting update every day or two. The common config to accomplish this is "aaa accounting update newinfo periodic 2880" which instructs the switch to send an update any time it sees new info for the endpoint, or every 2880 minutes as scheduled.
This interim accounting update keeps the session alive in ISE since ISE won't remove a live session without an accounting stop, or if it times out after 5 days of no update.

With no reauth timer set, ISE will keep the authentication session active indefinitely, assuming ISE receives an update from the network device within the five day window.

View solution in original post

1 Reply 1

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎07-22-2020 08:37 AM

If the MAB endpoint appears as inactive in ISE but you know it is still conection and has a session on the switch, then you might be missing the interim accounting configuration. The live sesison in ISE would have likely hit the five day timeout without any update which results in ISE believing it has dropped from the network.

The typical scenario here for these long lived authentication sessions is the switch sends an interim accounting update every day or two. The common config to accomplish this is "aaa accounting update newinfo periodic 2880" which instructs the switch to send an update any time it sees new info for the endpoint, or every 2880 minutes as scheduled.
This interim accounting update keeps the session alive in ISE since ISE won't remove a live session without an accounting stop, or if it times out after 5 days of no update.

With no reauth timer set, ISE will keep the authentication session active indefinitely, assuming ISE receives an update from the network device within the five day window.
Customers Also Viewed These Support Documents