cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11433
Views
10
Helpful
13
Replies

Cisco ISE 2.3 base license consumption (Radius accounting)

Anton Zvonarev
Level 1
Level 1

Hello colleagues, 

Overview:
5508 WLC, 802.1x SSID + Radius on Cisco ISE 2.3. 

ISE features in use: Radius (No profiling, etc. Just AAA), Tacacs.


Issue: 
Cisco ISE consumes 388 base license while having only 47 active endpoints. 

As it was stated multiple times on the forum, ISE removes the active session when it receives accounting STOP message from WLC. 
In my case, it looks to count active sessions correctly, however the base licenses are never released. 

I have a feeling that the issue is in Radius accounting configuration. 

Please guide me whether my theory is correct and what are the right settings on WLC so ISE maintains licenses correctly? 

This is what I had before: 

(Cisco Controller) >show radius summary       

Vendor Id Backward Compatibility................. Disabled
Call Station Id Case............................. lower
Accounting Call Station Id Type.................. IP Address
Auth Call Station Id Type........................ AP's Radio MAC Address:SSID
Extended Source Ports Support.................... Enabled
Aggressive Failover.............................. Enabled
Keywrap.......................................... Disabled
Fallback Test:
    Test Mode.................................... Active
    Probe User Name.............................. sto-wlc-probe
    Interval (in seconds)........................ 180
MAC Delimiter for Authentication Messages........ hyphen
MAC Delimiter for Accounting Messages............ hyphen
RADIUS Authentication Framed-MTU................. 1300 Bytes


Now I've changed the accounting setting for it to correspond to authentication settings: 

(Cisco Controller) >show radius summary 

Vendor Id Backward Compatibility................. Disabled
Call Station Id Case............................. lower
Accounting Call Station Id Type.................. AP's Radio MAC Address:SSID
Auth Call Station Id Type........................ AP's Radio MAC Address:SSID
Extended Source Ports Support.................... Enabled
Aggressive Failover.............................. Enabled
Keywrap.......................................... Disabled
Fallback Test:
    Test Mode.................................... Active
    Probe User Name.............................. sto-wlc-probe
    Interval (in seconds)........................ 180
MAC Delimiter for Authentication Messages........ hyphen
MAC Delimiter for Accounting Messages............ hyphen
RADIUS Authentication Framed-MTU................. 1300 Bytes


I'll monitor it for a while to see if it helps, however I'm trying to guess here without real understanding of the process. 
Could you guide me in the right direction, please? 

Thank you in advance. 

 

UPD: 
However on the Dashboard it shows 52 active endpoints, from the license consumption page I scrolled further to the right and I indeed see corresponding number os active licenses in use - 388. 
I'll try to disable the SSID temporarily and also implement session timeout to see if that helps.


Regards, 

Anton. 

1 Accepted Solution

Accepted Solutions

Hello, 


Thanks for your reply. 
I was able to solve it myself. 

The issue was on WLC radius accounting configuration.


For those who find this thread: 
Auth Called Station ID Type must correspond to Acct Called Station ID Type. 
In my case they're both set to AP MAC Address:SSID. 


Previously I had "Ip address" as acct called station id type. 
The reason I've changed auth called station id type was to implement further VLAN override on Cisco ISE based on SSID name. 
The misconfiguration made Cisco ISE unable to understand when the session was over. 

In order to clear unused licenses: 

Shutdown SSIDs

Purged active session data from Primary and Secondary MnT. 

Cleared whole endpoint database. 

Rebooted primary and secondary PAN. 

Enabled SSIDs

 

After monitoring it for a day, I see license count is correct. There's some delay in clearing the licenses but it's definitely much better now. 

View solution in original post

13 Replies 13

Francesco Molino
VIP Alumni
VIP Alumni

Hi

 

Active license is for session on which accounting stop hasn't been received.

Also, after 5 days Cisco ise purges license for all session where there was communication.

 

Here you're saying that you've only 50 active endpoints but 380 licenses consumed 

If you go on live sessions on ISE, how many sessions do you see active?

 

I had something weird with ISE 2.3 at the beginning and after a restart of services everything went back normal. Have you tried that?

 

Paste some ise outputs (license count and live sessions). 

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hello, 


Thanks for your reply. 
I was able to solve it myself. 

The issue was on WLC radius accounting configuration.


For those who find this thread: 
Auth Called Station ID Type must correspond to Acct Called Station ID Type. 
In my case they're both set to AP MAC Address:SSID. 


Previously I had "Ip address" as acct called station id type. 
The reason I've changed auth called station id type was to implement further VLAN override on Cisco ISE based on SSID name. 
The misconfiguration made Cisco ISE unable to understand when the session was over. 

In order to clear unused licenses: 

Shutdown SSIDs

Purged active session data from Primary and Secondary MnT. 

Cleared whole endpoint database. 

Rebooted primary and secondary PAN. 

Enabled SSIDs

 

After monitoring it for a day, I see license count is correct. There's some delay in clearing the licenses but it's definitely much better now. 

Very helpful, thank you!

 

Will

Helped us too!!

Hi Anton,


We have this same issue one our distribute mode ISE nodes.

Just wonder how could you manually pure the active session from the primary and secondary mnt nodes?

I tried the curl command but did not seems that works. 

curl -k -X DELETE https://MNT-IP/mnt/Session/Delete/All

Do I need to reload all the nodes like mnt and PAN nodes?

 

Many thanks,

 

Edward

Ok. it was fixed by using the version 2 API instead, there are different to version 1.x, then it works. after that, I still need to reboot both admin nodes.

 

curl -k -X DELETE https://username:password@<mntnode>/admin/API/mnt/Session/Delete/All

We are experiencing the same problem with ISE 2.3. Can it be an issue when both the auth called station ID and acct called station ID are set to use the IP address of WLC? Please confirm.

Hey 

 

I believe it can be an issue. 
I can not confirm this however setting them to the IP address of the WLC doesn't make much sense to me. 

we stumbled across the same issue

thanks for you detailed analysis and solution.

 

changing the acct called station id is not a big deal, but purging the database + reloads is not possible.

 

is it correct, that instead of purging you can also just wait 5 days to have the same effect, since the used licenses will timeout anyway?

 

 

 

Hi Samuel, 

 

You are welcome. 

I can not confirm that unfortunately, please refer to the official documentation.
2.3 is not an actual version no more, the behaviour might have been changed in the next releases. 

 

Thanks

Regards,

Anton.

Hi Anton

 

Thanks for the reply. I forgot the mention that our customer runs 2.4, i just hooked up on this thread because our customer had the same issue. As far as I can tell this related to a misconfiguration, not the a bug in ISE software version.

 

we implemented the steps above and reloaded ISE, License Count immediately dropped and remained at the level of active sessions.  

 

 

Xnip2020-06-19_13-06-39.jpg

We are still facing this issue with ISE 2.3. Made some changes and worked with support to reset the database, the active connections came down and stayed low but it slowly it came back up in the last 6 months. So you will have to monitor the system for at least 3 months to know if it actually fixed it.

That's correct, the problem came back even on the latest patch of 2.3 in our environment as well.
I also worked with the support in order to resolve this problem but we never did. I got the following bug ID though: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvo64043

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: