Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1600
Views
20
Helpful
5
Replies

Reporting on Current Active Sessions Guidance

Go to solution
Arne Bier
VIP
VIP

‎06-06-2022 06:23 PM

Hello,

 

I am trying to understand why ISE reports different results when I ask it how many "Active Sessions" there are for a particular type of authorized device. To help me (and ISE) to filter/report on the exact Authorization Policy Rule that I am interested in, I have given them unique names like Employee_DOT1X_LowImpact, and BYOD_DOT1X_LowImpact (just to name a few). I have also given the Result Profiles unique names (even though their results are always the same) purely to assist me (and ISE) in producing reports.

 

The ISE Dashboard reports a total number of Active Endpoints - when I click on the hyperlink it opens a nice table that I can apply my search criteria on (e.g. how many BYOD users in low impact mode are active right now). But what I find is that the results in this search are not the same as when I filter in Operations > Reports > Endpoints and Users > Current Active Sessions

 

Lastly, if I perform my search again using Live Sessions, I get a different answer altogether.

 

How does ISE define an Active Session?  Does it mean that a RADIUS Accounting Start/Update had to have been received within the last 24 hours to be considered 'Active' in Live Sessions and Operations Report?  

 

The Dashboard click-down method (filtered on 'Connected') seems to be the only reliable method because it doesn't seem to care about the Interim accounting in last 24 hours (that's the only explanation I have). My switches send a Interim update every 48 hours (Cisco recommendation).

I have been considering lowering that Interim update to 23 hours to see if that improves (with around 15000 wired endpoints this should not cause too much accounting overhead). 

 

thoughts welcome

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcelo Morais
VIP
VIP

‎06-06-2022 09:57 PM - edited ‎06-06-2022 09:58 PM

Hi @Arne Bier ,

 my thoughts ...

 All Endpoints at Home > Active Endpoints Dashboard has the Authentication Status as Connected, but some of then has "No Active Sessions" (I tried a CoA Session Reauth
NoActiveSessions.png

 

The Operations > Reports > Reports > Endpoints and Users > Current Active Sessions has the following Session Status:

. Authenticated
ISE accepted the Session, but did not receive RADIUS Accounting Start. If no Accounting Start message is received, the Session will be removed after 1 hour.
. Started
ISE received RADIUS Accounting Start. ISE requires Interim Accounting message to be sent within 5 days, if not the Session will be removed.
. Postured
The Endpoint has been Posture checked and Compliant using the AnyConnect Posture Module.

 

The Current Active Sessions with Session Status of Started or Postured have more value for me then Authenticated (that could be removed after 1 hour) and since the Active Endpoints Dashboard has Endpoints without a Session, I prefer to "trust" the Current Active Sessions [Started | Posture].

 

Regards

View solution in original post

5 Replies 5

Go to solution
Marcelo Morais
VIP
VIP

‎06-06-2022 09:57 PM - edited ‎06-06-2022 09:58 PM

Hi @Arne Bier ,

 my thoughts ...

 All Endpoints at Home > Active Endpoints Dashboard has the Authentication Status as Connected, but some of then has "No Active Sessions" (I tried a CoA Session Reauth
NoActiveSessions.png

 

The Operations > Reports > Reports > Endpoints and Users > Current Active Sessions has the following Session Status:

. Authenticated
ISE accepted the Session, but did not receive RADIUS Accounting Start. If no Accounting Start message is received, the Session will be removed after 1 hour.
. Started
ISE received RADIUS Accounting Start. ISE requires Interim Accounting message to be sent within 5 days, if not the Session will be removed.
. Postured
The Endpoint has been Posture checked and Compliant using the AnyConnect Posture Module.

 

The Current Active Sessions with Session Status of Started or Postured have more value for me then Authenticated (that could be removed after 1 hour) and since the Active Endpoints Dashboard has Endpoints without a Session, I prefer to "trust" the Current Active Sessions [Started | Posture].

 

Regards

Go to solution
Arne Bier
VIP
VIP
In response to Marcelo Morais

‎06-06-2022 10:45 PM

Thanks Marcelo - one benefit of fishing out all the "Authenticated" sessions is that those are potentially from switches where RADIUS Accounting is not configured (or misconfigured). Having said that, it's hard to tell because the RADIUS Accounting UDP packets could also be dropped/lost. But it's worthy of some focus if there are many of these.

 

Also, you highlighted that ISE refers to Active Endpoints and other times, Active Sessions.  Are you saying that an Active Endpoint is the more general term of any Endpoint that has passed authentication, but that Active Sessions are those, which also send RADIUS Accounting?  In an ideal world all Active Endpoints should also have an Active Session.

 

Go to solution
Marcelo Morais
VIP
VIP
In response to Arne Bier

‎06-07-2022 08:14 AM

Hi @Arne Bier ,

 when you said " ...  But it's worthy of some focus if there are many of these ("Authenticated") ... ", totally agree, Authenticated as an indication/possibility of an issue, but (for me) not as a "real" Active Session (because at that point there is no Accounting Start).

 when you said " ... Are you saying that an Active Endpoint is the more general term of any Endpoint that has passed authentication, but that Active Sessions are those, which also send RADIUS Accounting? ... ", the straight answer is yes, whenever I checked the Active Endpoints Dashboard there is not only Endpoints with Active Sessions, but also Endpoints without Active Sessions.

 

Regards

Go to solution
Arne Bier
VIP
VIP
In response to Marcelo Morais

‎06-08-2022 01:45 PM

As for the ISE Reports ... those that say "current Active sessions" ... that list does not seem to reflect the real situation. What are your views on fixing that? Is my understanding correct that ISE considers only endpoints active if it has seen an accounting in last 24 hours? So if the switch is sending the accounting interims every 48 hours, then you see (or not see) endpoints, depending on what time you click on these reports. Or click on the main Live Sessions menu option. 

I am considering returning a session-timeout of 65565 seconds (because there are older IOS-XE versions in play ... I can't use any larger value). But this value should re-auth the wired endpoints more regularly (18 hours) and I thought it might improve the "live/active" sessions visibility in ISE. Does that make sense?

0 Helpful

Go to solution
Marcelo Morais
VIP
VIP
In response to Arne Bier

‎06-14-2022 03:56 PM

Hi @Arne Bier ,

 the Operations > Reports > Reports > Endpoints and Users > Current Active Sessions is more accurate than Home > Active Endpoints Dashboard, the 1st gets the info from MnT (License consumption is based on the MnT data), the 2nd from Context Visibility (PAN data).

 

Regards

Customers Also Viewed These Support Documents