cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3248
Views
25
Helpful
6
Replies
Frequent Contributor

AAA Accounting Update

What exactly are we enabling when running the command (as an example)-

 

aaa accounting update periodic 3

 

Online it is stated -

 

"When used with the keyword periodic , interim accounting records are sent periodically as defined by the argument number. The interim accounting record contains all of the accounting information recorded for that user up to the time the accounting record is sent."

 

If we think in terms of tacacs for device access/administration, does this imply that accounting records are stored locally on the device then sent to the accounting server every 5 minutes?

 

Also- for the arguement newinfo - does this imply that as soon as a record is created, it is sent immediately to my accounting server?

6 REPLIES 6

Re: AAA Accounting Update

I don’t know if this will help you but related to Cisco ISE:

Interim RADIUS accounting messages are sent to ISE to notify that the sessions are still intact.

When ISE fails to receive a RADIUS accounting message for a prolonged period for a given endpoint, ISE removes that session from its session table. ISE does not remove the endpoint from the switch, which creates disconnect between the switch and ISE in terms of which sessions are active. This disconnect can also impact when the endpoint access needs to be reevaluated for any reason.

 

By default, ISE flushes out any sessions without Interim RADIUS accounting messages for 5 days for any authenticated sessions. By sending the periodic RADIUS accounting message to the ISE node less than 5 days, the switch ensures that the sessions are maintained on the ISE.

For Example if you set the periodic update to be 2880 ( aaa accounting update newinfo periodic 2880) then every 2 Days there will be new interim accounting update sent to ISE to provide two updates within 5 days in case one of the RADIUS Accounting packets failed to reach the ISE node.

 

Now the Question about whether the switch locally store accounting info, I think yes because in case of 802.1X and MAB there are live sessions maintained in the switch which keep track of the accounting session ID plus the probes that the switches collected regarding the endpoints through LLDP, DHCP, CDP or Device sensor (I might be wrong - it is just an opinion)

 

Here is a sample debug of an RADIUS Interim Accounting update

===============================================================================================================================
This is Radius Interim Accounting packet (Watchdog Packet) for session ID 0AF0021300002C3EDF42F9EC for port GigabitEthernet1/0/23
==================================================================================================================================
Jul 14 01:00:19: RADIUS/ENCODE(00000000):Orig. component type = Invalid
Jul 14 01:00:19: RADIUS(00000000): Config NAS IP: 10.10.2.50
Jul 14 01:00:19: RADIUS(00000000): Config NAS IPv6: ::
Jul 14 01:00:19: RADIUS(00000000): sending
Jul 14 01:00:19: RADIUS(00000000): Send Accounting-Request to 11.11.11.1:1813 onvrf(0) id 1646/147, len 726
Jul 14 01:00:19: RADIUS:  authenticator BD AA DF A3 79 8F A4 39 - EB DB 2A 3E E2 AB 6A 01
Jul 14 01:00:19: RADIUS:  Vendor, Cisco       [26]  21 
Jul 14 01:00:19: RADIUS:   Cisco AVpair       [1]   15  "lldp-tlv=    "
Jul 14 01:00:19: RADIUS:  Vendor, Cisco       [26]  26 
Jul 14 01:00:19: RADIUS:   Cisco AVpair       [1]   20  "lldp-tlv=         "
Jul 14 01:00:19: RADIUS:  Vendor, Cisco       [26]  44 
Jul 14 01:00:19: RADIUS:   Cisco AVpair       [1]   38  "lldp-tlv=                           "
Jul 14 01:00:19: RADIUS:  Vendor, Cisco       [26]  25 
Jul 14 01:00:19: RADIUS:   Cisco AVpair       [1]   19  "lldp-tlv=        "
Jul 14 01:00:19: RADIUS:  Vendor, Cisco       [26]  30 
Jul 14 01:00:19: RADIUS:   Cisco AVpair       [1]   24  "lldp-tlv=             "
Jul 14 01:00:19: RADIUS:  Vendor, Cisco       [26]  23 
Jul 14 01:00:19: RADIUS:   Cisco AVpair       [1]   17  "lldp-tlv=      "
Jul 14 01:00:19: RADIUS:  Vendor, Cisco       [26]  28 
Jul 14 01:00:19: RADIUS:   Cisco AVpair       [1]   22  "lldp-tlv=           "
Jul 14 01:00:19: RADIUS:  Vendor, Cisco       [26]  27 
Jul 14 01:00:19: RADIUS:   Cisco AVpair       [1]   21  "lldp-tlv=          "
Jul 14 01:00:19: RADIUS:  Vendor, Cisco       [26]  24 
Jul 14 01:00:19: RADIUS:   Cisco AVpair       [1]   18  "dhcp-option=    "
Jul 14 01:00:19: RADIUS:  Vendor, Cisco       [26]  24 
Jul 14 01:00:19: RADIUS:   Cisco AVpair       [1]   18  "dhcp-option=    "
Jul 14 01:00:19: RADIUS:  Vendor, Cisco       [26]  37 
Jul 14 01:00:19: RADIUS:   Cisco AVpair       [1]   31  "dhcp-option=                 "
Jul 14 01:00:19: RADIUS:  Vendor, Cisco       [26]  26 
Jul 14 01:00:19: RADIUS:   Cisco AVpair       [1]   20  "dhcp-option=      "
Jul 14 01:00:19: RADIUS:  Vendor, Cisco       [26]  35 
Jul 14 01:00:19: RADIUS:   Cisco AVpair       [1]   29  "dhcp-option=               "
Jul 14 01:00:19: RADIUS:  Vendor, Cisco       [26]  33 
Jul 14 01:00:19: RADIUS:   Cisco AVpair       [1]   27  "dhcp-option=             "
Jul 14 01:00:19: RADIUS:  Vendor, Cisco       [26]  25 
Jul 14 01:00:19: RADIUS:   Cisco AVpair       [1]   19  "dhcp-option=     "
Jul 14 01:00:19: RADIUS:  Framed-IP-Address   [8]   6   10.24.88.31             
Jul 14 01:00:19: RADIUS:  User-Name           [1]   19  "24-D9-21-3A-C9-80"
Jul 14 01:00:19: RADIUS:  Vendor, Cisco       [26]  49 
Jul 14 01:00:19: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=0AF0021300002C3EDF42F9EC"
Jul 14 01:00:19: RADIUS:  Vendor, Cisco       [26]  18 
Jul 14 01:00:19: RADIUS:   Cisco AVpair       [1]   12  "method=mab"
Jul 14 01:00:19: RADIUS:  Called-Station-Id   [30]  19  "18-E7-28-41-EB-17"
Jul 14 01:00:19: RADIUS:  Calling-Station-Id  [31]  19  "24-D9-21-3A-C9-80"
Jul 14 01:00:19: RADIUS:  NAS-IP-Address      [4]   6   10.10.2.50              
Jul 14 01:00:19: RADIUS:  NAS-Port-Id         [87]  23  "GigabitEthernet1/0/23"
Jul 14 01:00:19: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]
Jul 14 01:00:19: RADIUS:  NAS-Port            [5]   6   50123                    
Jul 14 01:00:19: RADIUS:  Acct-Session-Id     [44]  10  "0000B8BD"
Jul 14 01:00:19: RADIUS:  Class               [25]  55 
Jul 14 01:00:19: RADIUS:   43 41 43 53 3A 30 41 46 30 30 32 31 33 30 30 30  [CACS:0AF00213000]
Jul 14 01:00:19: RADIUS:   30 32 43 33 45 44 46 34 32 46 39 45 43 3A 6E 61  [02C3EDF42F9EC:na]
Jul 14 01:00:19: RADIUS:   63 30 31 2F 32 38 39 30 33 39 38 30 38 2F 39 30  [c01/289039808/90]
Jul 14 01:00:19: RADIUS:   36 32 32 37 38             [ 62278]
Jul 14 01:00:19: RADIUS:  Acct-Status-Type    [40]  6   Watchdog                  [3]
Jul 14 01:00:19: RADIUS:  Event-Timestamp     [55]  6   1499979619               
Jul 14 01:00:19: RADIUS:  Acct-Input-Octets   [42]  6   27811067                 
Jul 14 01:00:19: RADIUS:  Acct-Output-Octets  [43]  6   28218116                 
Jul 14 01:00:19: RADIUS:  Acct-Input-Packets  [47]  6   125744                   
Jul 14 01:00:19: RADIUS:  Acct-Output-Packets [48]  6   125555                   
Jul 14 01:00:19: RADIUS:  Acct-Delay-Time     [41]  6   0                        
Jul 14 01:00:19: RADIUS(00000000): Sending a IPv4 Radius Packet
Jul 14 01:00:19: RADIUS(00000000): Started 10 sec timeout

Beginner

Re: AAA Accounting Update

Thank you for your useful reply.

May I conclude that 

 

aaa accounting update newinfo periodic 1440

 

command will send and accounting interim-update once a day and a accounting  update each time newinfo is triggered in spite of the configured timer?

 

Actually I need to manage  regular users and computers that are re-authenticate once every 10 hours  and other devices that are never re authenticated (session timeout = 0)

 

Regards

MM

Highlighted
VIP Engager

Re: AAA Accounting Update

Yes, that is exactly what the command does. Keep in mind that if you are using a load balancer then you also want your persistence value set slightly higher than the interim accounting interval. Cisco has started recommending 2880 minutes in most configuration examples but other values are still valid.
Beginner

Re: AAA Accounting Update

Great Damien,
thank you very for the persistence hint!
MM

Re: AAA Accounting Update

From a switch-

 

SW1(config)#aaa account update ?
newinfo Only send accounting update records when we have new acct info.

 

Is there something I am missing? It would appear that using the newinfo keyword specifically does NOT send accounting records unless there is an update. This is particularly relevant for ISE.

Beginner

Re: AAA Accounting Update

You are right but 

newinfo + periodic

on the same line will send both periodic updates and triggered ones.

Regards

MM