cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3376
Views
5
Helpful
8
Replies
Beginner

Cisco ISE 2.3 base license consumption (Radius accounting)

Hello colleagues, 

Overview:
5508 WLC, 802.1x SSID + Radius on Cisco ISE 2.3. 

ISE features in use: Radius (No profiling, etc. Just AAA), Tacacs.


Issue: 
Cisco ISE consumes 388 base license while having only 47 active endpoints. 

As it was stated multiple times on the forum, ISE removes the active session when it receives accounting STOP message from WLC. 
In my case, it looks to count active sessions correctly, however the base licenses are never released. 

I have a feeling that the issue is in Radius accounting configuration. 

Please guide me whether my theory is correct and what are the right settings on WLC so ISE maintains licenses correctly? 

This is what I had before: 

(Cisco Controller) >show radius summary       

Vendor Id Backward Compatibility................. Disabled
Call Station Id Case............................. lower
Accounting Call Station Id Type.................. IP Address
Auth Call Station Id Type........................ AP's Radio MAC Address:SSID
Extended Source Ports Support.................... Enabled
Aggressive Failover.............................. Enabled
Keywrap.......................................... Disabled
Fallback Test:
    Test Mode.................................... Active
    Probe User Name.............................. sto-wlc-probe
    Interval (in seconds)........................ 180
MAC Delimiter for Authentication Messages........ hyphen
MAC Delimiter for Accounting Messages............ hyphen
RADIUS Authentication Framed-MTU................. 1300 Bytes


Now I've changed the accounting setting for it to correspond to authentication settings: 

(Cisco Controller) >show radius summary 

Vendor Id Backward Compatibility................. Disabled
Call Station Id Case............................. lower
Accounting Call Station Id Type.................. AP's Radio MAC Address:SSID
Auth Call Station Id Type........................ AP's Radio MAC Address:SSID
Extended Source Ports Support.................... Enabled
Aggressive Failover.............................. Enabled
Keywrap.......................................... Disabled
Fallback Test:
    Test Mode.................................... Active
    Probe User Name.............................. sto-wlc-probe
    Interval (in seconds)........................ 180
MAC Delimiter for Authentication Messages........ hyphen
MAC Delimiter for Accounting Messages............ hyphen
RADIUS Authentication Framed-MTU................. 1300 Bytes


I'll monitor it for a while to see if it helps, however I'm trying to guess here without real understanding of the process. 
Could you guide me in the right direction, please? 

Thank you in advance. 

 

UPD: 
However on the Dashboard it shows 52 active endpoints, from the license consumption page I scrolled further to the right and I indeed see corresponding number os active licenses in use - 388. 
I'll try to disable the SSID temporarily and also implement session timeout to see if that helps.


Regards, 

Anton. 

1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

Re: Cisco ISE 2.3 base license consumption (Radius accounting)

Hello, 


Thanks for your reply. 
I was able to solve it myself. 

The issue was on WLC radius accounting configuration.


For those who find this thread: 
Auth Called Station ID Type must correspond to Acct Called Station ID Type. 
In my case they're both set to AP MAC Address:SSID. 


Previously I had "Ip address" as acct called station id type. 
The reason I've changed auth called station id type was to implement further VLAN override on Cisco ISE based on SSID name. 
The misconfiguration made Cisco ISE unable to understand when the session was over. 

In order to clear unused licenses: 

Shutdown SSIDs

Purged active session data from Primary and Secondary MnT. 

Cleared whole endpoint database. 

Rebooted primary and secondary PAN. 

Enabled SSIDs

 

After monitoring it for a day, I see license count is correct. There's some delay in clearing the licenses but it's definitely much better now. 

View solution in original post

8 REPLIES 8
VIP Advisor

Re: Cisco ISE 2.3 base license consumption (Radius accounting)

Hi

 

Active license is for session on which accounting stop hasn't been received.

Also, after 5 days Cisco ise purges license for all session where there was communication.

 

Here you're saying that you've only 50 active endpoints but 380 licenses consumed 

If you go on live sessions on ISE, how many sessions do you see active?

 

I had something weird with ISE 2.3 at the beginning and after a restart of services everything went back normal. Have you tried that?

 

Paste some ise outputs (license count and live sessions). 

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Beginner

Re: Cisco ISE 2.3 base license consumption (Radius accounting)

Hello, 


Thanks for your reply. 
I was able to solve it myself. 

The issue was on WLC radius accounting configuration.


For those who find this thread: 
Auth Called Station ID Type must correspond to Acct Called Station ID Type. 
In my case they're both set to AP MAC Address:SSID. 


Previously I had "Ip address" as acct called station id type. 
The reason I've changed auth called station id type was to implement further VLAN override on Cisco ISE based on SSID name. 
The misconfiguration made Cisco ISE unable to understand when the session was over. 

In order to clear unused licenses: 

Shutdown SSIDs

Purged active session data from Primary and Secondary MnT. 

Cleared whole endpoint database. 

Rebooted primary and secondary PAN. 

Enabled SSIDs

 

After monitoring it for a day, I see license count is correct. There's some delay in clearing the licenses but it's definitely much better now. 

View solution in original post

Participant

Re: Cisco ISE 2.3 base license consumption (Radius accounting)

Very helpful, thank you!

 

Will

Highlighted
Beginner

Re: Cisco ISE 2.3 base license consumption (Radius accounting)

Helped us too!!

Beginner

Re: Cisco ISE 2.3 base license consumption (Radius accounting)

Hi Anton,


We have this same issue one our distribute mode ISE nodes.

Just wonder how could you manually pure the active session from the primary and secondary mnt nodes?

I tried the curl command but did not seems that works. 

curl -k -X DELETE https://MNT-IP/mnt/Session/Delete/All

Do I need to reload all the nodes like mnt and PAN nodes?

 

Many thanks,

 

Edward

Beginner

Re: Cisco ISE 2.3 base license consumption (Radius accounting)

Ok. it was fixed by using the version 2 API instead, there are different to version 1.x, then it works. after that, I still need to reboot both admin nodes.

 

curl -k -X DELETE https://username:password@<mntnode>/admin/API/mnt/Session/Delete/All

Beginner

Re: Cisco ISE 2.3 base license consumption (Radius accounting)

We are experiencing the same problem with ISE 2.3. Can it be an issue when both the auth called station ID and acct called station ID are set to use the IP address of WLC? Please confirm.

Beginner

Re: Cisco ISE 2.3 base license consumption (Radius accounting)

Hey 

 

I believe it can be an issue. 
I can not confirm this however setting them to the IP address of the WLC doesn't make much sense to me. 

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards


This widget could not be displayed.