Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2422
Views
0
Helpful
2
Replies

ISE 2.2: Accounting Interim Update Reports

david.wisnoski
Level 1
Level 1

‎07-31-2017 08:55 AM

ISE was not displaying Accounting Interim Update Reports until ISE Version 2.2.

I upgraded to to ISE version 2.2 and have found that optional RFC 2866 RADIUS Accounting Framed-IP-Address(8) RADIUS Attribute is required for displaying Accounting Interim Update Reports.

This observation was found by looking at the collector and report DEBUG logs in detail, I stumbled across a tuple entry, SessionStateContext, consisting of {Cisco-AVPair(1): audit-session-id, Calling-Station-Id(31), Framed-IP-Address(8)}…

2017-07-20 13:48:47,966 DEBUG [AcsSyslog store] cisco.mnt.collection.session.SessionStateContext: ACCTStart:Session found due to AuditSessionID

2017-07-20 13:48:47,966 DEBUG [AcsSyslog store] cisco.mnt.collection.session.SessionStateContext: ACCTStart:Session found due to CallingStationID

2017-07-20 13:48:47,966 DEBUG [AcsSyslog store] cisco.mnt.collection.session.SessionStateContext: ACCTStart:Session found due to FramedIPAddress

I would like to know if Framed-IP-Address(8) is a required RADIUS attribute in Accounting Interim Update Requests so that ISE will properly display Accounting Interim Update Reports.

0 Helpful
2 Replies 2

marco.merlo
Level 1
Level 1

‎03-15-2018 03:22 AM

Hi,

Indeed because of this bug

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve85449

my ISE 2.3 patch 1 deployment sometimes is not showing interim update in reports .

I did some tests both with and without Framed-IP-Address attribute .

+For a user that has been authenticated with eap interim updates without Framed-Ip-Address are not shown, the ones with Framed-Ip-Adress are shown

+For an end point authenticated with MAB interim-updates are never shown even if contain  Framed-Ip-Adress Attribute

+For guest users interim-updates with   Framed-Ip-Adress Attribute are shown

Regards

M

0 Helpful

Garry Cross
Level 1
Level 1
In response to marco.merlo

‎09-24-2018 06:21 AM

Interesting that my observations on Accounting reports is somewhat different. I haven't had the time to investigate in detail the packets to see what AV pairs are present. Observing the reports that I get, I have observed that MAB interim accounting updates are reported and dot1x are not. These are coming from a 3850 switch on 16.9.1. device tracking is enabled. We have also in the test environment a 3750x in which case I don't get any reporting from it. I have not seen the packet capture from that switch. Our ISE environment is 2.3 with patch 4.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents