02-18-2018 03:20 AM - edited 03-01-2019 06:24 PM
Hello colleagues,
Overview:
5508 WLC, 802.1x SSID + Radius on Cisco ISE 2.3.
ISE features in use: Radius (No profiling, etc. Just AAA), Tacacs.
Issue:
Cisco ISE consumes 388 base license while having only 47 active endpoints.
As it was stated multiple times on the forum, ISE removes the active session when it receives accounting STOP message from WLC.
In my case, it looks to count active sessions correctly, however the base licenses are never released.
I have a feeling that the issue is in Radius accounting configuration.
Please guide me whether my theory is correct and what are the right settings on WLC so ISE maintains licenses correctly?
This is what I had before:
(Cisco Controller) >show radius summary Vendor Id Backward Compatibility................. Disabled Call Station Id Case............................. lower Accounting Call Station Id Type.................. IP Address Auth Call Station Id Type........................ AP's Radio MAC Address:SSID Extended Source Ports Support.................... Enabled Aggressive Failover.............................. Enabled Keywrap.......................................... Disabled Fallback Test: Test Mode.................................... Active Probe User Name.............................. sto-wlc-probe Interval (in seconds)........................ 180 MAC Delimiter for Authentication Messages........ hyphen MAC Delimiter for Accounting Messages............ hyphen RADIUS Authentication Framed-MTU................. 1300 Bytes
Now I've changed the accounting setting for it to correspond to authentication settings:
(Cisco Controller) >show radius summary Vendor Id Backward Compatibility................. Disabled Call Station Id Case............................. lower Accounting Call Station Id Type.................. AP's Radio MAC Address:SSID Auth Call Station Id Type........................ AP's Radio MAC Address:SSID Extended Source Ports Support.................... Enabled Aggressive Failover.............................. Enabled Keywrap.......................................... Disabled Fallback Test: Test Mode.................................... Active Probe User Name.............................. sto-wlc-probe Interval (in seconds)........................ 180 MAC Delimiter for Authentication Messages........ hyphen MAC Delimiter for Accounting Messages............ hyphen RADIUS Authentication Framed-MTU................. 1300 Bytes
I'll monitor it for a while to see if it helps, however I'm trying to guess here without real understanding of the process.
Could you guide me in the right direction, please?
Thank you in advance.
UPD:
However on the Dashboard it shows 52 active endpoints, from the license consumption page I scrolled further to the right and I indeed see corresponding number os active licenses in use - 388.
I'll try to disable the SSID temporarily and also implement session timeout to see if that helps.
Regards,
Anton.
Solved! Go to Solution.
02-19-2018 11:42 PM
Hello,
Thanks for your reply.
I was able to solve it myself.
The issue was on WLC radius accounting configuration.
For those who find this thread:
Auth Called Station ID Type must correspond to Acct Called Station ID Type.
In my case they're both set to AP MAC Address:SSID.
Previously I had "Ip address" as acct called station id type.
The reason I've changed auth called station id type was to implement further VLAN override on Cisco ISE based on SSID name.
The misconfiguration made Cisco ISE unable to understand when the session was over.
In order to clear unused licenses:
Shutdown SSIDs
Purged active session data from Primary and Secondary MnT.
Cleared whole endpoint database.
Rebooted primary and secondary PAN.
Enabled SSIDs
After monitoring it for a day, I see license count is correct. There's some delay in clearing the licenses but it's definitely much better now.
02-18-2018 06:43 PM
Hi
Active license is for session on which accounting stop hasn't been received.
Also, after 5 days Cisco ise purges license for all session where there was communication.
Here you're saying that you've only 50 active endpoints but 380 licenses consumed
If you go on live sessions on ISE, how many sessions do you see active?
I had something weird with ISE 2.3 at the beginning and after a restart of services everything went back normal. Have you tried that?
Paste some ise outputs (license count and live sessions).
02-19-2018 11:42 PM
Hello,
Thanks for your reply.
I was able to solve it myself.
The issue was on WLC radius accounting configuration.
For those who find this thread:
Auth Called Station ID Type must correspond to Acct Called Station ID Type.
In my case they're both set to AP MAC Address:SSID.
Previously I had "Ip address" as acct called station id type.
The reason I've changed auth called station id type was to implement further VLAN override on Cisco ISE based on SSID name.
The misconfiguration made Cisco ISE unable to understand when the session was over.
In order to clear unused licenses:
Shutdown SSIDs
Purged active session data from Primary and Secondary MnT.
Cleared whole endpoint database.
Rebooted primary and secondary PAN.
Enabled SSIDs
After monitoring it for a day, I see license count is correct. There's some delay in clearing the licenses but it's definitely much better now.
02-20-2018 12:51 AM
Very helpful, thank you!
Will
04-24-2018 10:20 AM
Helped us too!!
03-21-2019 05:49 PM
Hi Anton,
We have this same issue one our distribute mode ISE nodes.
Just wonder how could you manually pure the active session from the primary and secondary mnt nodes?
I tried the curl command but did not seems that works.
curl -k -X DELETE https://MNT-IP/mnt/Session/Delete/All
Do I need to reload all the nodes like mnt and PAN nodes?
Many thanks,
Edward
03-21-2019 08:23 PM
Ok. it was fixed by using the version 2 API instead, there are different to version 1.x, then it works. after that, I still need to reboot both admin nodes.
curl -k -X DELETE https://username:password@<mntnode>/admin/API/mnt/Session/Delete/All
10-21-2019 08:21 AM
We are experiencing the same problem with ISE 2.3. Can it be an issue when both the auth called station ID and acct called station ID are set to use the IP address of WLC? Please confirm.
10-22-2019 12:33 AM
Hey
I believe it can be an issue.
I can not confirm this however setting them to the IP address of the WLC doesn't make much sense to me.
04-17-2020 02:59 AM - edited 06-19-2020 04:09 AM
we stumbled across the same issue
thanks for you detailed analysis and solution.
changing the acct called station id is not a big deal, but purging the database + reloads is not possible.
is it correct, that instead of purging you can also just wait 5 days to have the same effect, since the used licenses will timeout anyway?
04-20-2020 01:09 AM
Hi Samuel,
You are welcome.
I can not confirm that unfortunately, please refer to the official documentation.
2.3 is not an actual version no more, the behaviour might have been changed in the next releases.
Thanks
Regards,
Anton.
06-19-2020 04:14 AM
Hi Anton
Thanks for the reply. I forgot the mention that our customer runs 2.4, i just hooked up on this thread because our customer had the same issue. As far as I can tell this related to a misconfiguration, not the a bug in ISE software version.
we implemented the steps above and reloaded ISE, License Count immediately dropped and remained at the level of active sessions.
06-19-2020 06:45 AM
We are still facing this issue with ISE 2.3. Made some changes and worked with support to reset the database, the active connections came down and stayed low but it slowly it came back up in the last 6 months. So you will have to monitor the system for at least 3 months to know if it actually fixed it.
06-19-2020 07:58 AM
That's correct, the problem came back even on the latest patch of 2.3 in our environment as well.
I also worked with the support in order to resolve this problem but we never did. I got the following bug ID though: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvo64043
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: