Re: AAA Accounting Update

GRANT3779 · ‎09-07-2017

What exactly are we enabling when running the command (as an example)-

aaa accounting update periodic 3

Online it is stated -

"When used with the keyword periodic , interim accounting records are sent periodically as defined by the argument number. The interim accounting record contains all of the accounting information recorded for that user up to the time the accounting record is sent."

If we think in terms of tacacs for device access/administration, does this imply that accounting records are stored locally on the device then sent to the accounting server every 5 minutes?

Also- for the arguement newinfo - does this imply that as soon as a record is created, it is sent immediately to my accounting server?

Mohamed Abd Elnaser Mohamed Mohamed Ali · ‎09-07-2017

I don’t know if this will help you but related to Cisco ISE:

Interim RADIUS accounting messages are sent to ISE to notify that the sessions are still intact.

When ISE fails to receive a RADIUS accounting message for a prolonged period for a given endpoint, ISE removes that session from its session table. ISE does not remove the endpoint from the switch, which creates disconnect between the switch and ISE in terms of which sessions are active. This disconnect can also impact when the endpoint access needs to be reevaluated for any reason.

By default, ISE flushes out any sessions without Interim RADIUS accounting messages for 5 days for any authenticated sessions. By sending the periodic RADIUS accounting message to the ISE node less than 5 days, the switch ensures that the sessions are maintained on the ISE.

For Example if you set the periodic update to be 2880 ( aaa accounting update newinfo periodic 2880) then every 2 Days there will be new interim accounting update sent to ISE to provide two updates within 5 days in case one of the RADIUS Accounting packets failed to reach the ISE node.

Now the Question about whether the switch locally store accounting info, I think yes because in case of 802.1X and MAB there are live sessions maintained in the switch which keep track of the accounting session ID plus the probes that the switches collected regarding the endpoints through LLDP, DHCP, CDP or Device sensor (I might be wrong - it is just an opinion)

Here is a sample debug of an RADIUS Interim Accounting update

===============================================================================================================================
This is Radius Interim Accounting packet (Watchdog Packet) for session ID 0AF0021300002C3EDF42F9EC for port GigabitEthernet1/0/23
==================================================================================================================================
Jul 14 01:00:19: RADIUS/ENCODE(00000000):Orig. component type = Invalid
Jul 14 01:00:19: RADIUS(00000000): Config NAS IP: 10.10.2.50
Jul 14 01:00:19: RADIUS(00000000): Config NAS IPv6: ::
Jul 14 01:00:19: RADIUS(00000000): sending
Jul 14 01:00:19: RADIUS(00000000): Send Accounting-Request to 11.11.11.1:1813 onvrf(0) id 1646/147, len 726
Jul 14 01:00:19: RADIUS: authenticator BD AA DF A3 79 8F A4 39 - EB DB 2A 3E E2 AB 6A 01
Jul 14 01:00:19: RADIUS: Vendor, Cisco       [26] 21
Jul 14 01:00:19: RADIUS:   Cisco AVpair       [1]   15 "lldp-tlv=    "
Jul 14 01:00:19: RADIUS: Vendor, Cisco       [26] 26
Jul 14 01:00:19: RADIUS:   Cisco AVpair       [1]   20 "lldp-tlv=         "
Jul 14 01:00:19: RADIUS: Vendor, Cisco       [26] 44
Jul 14 01:00:19: RADIUS:   Cisco AVpair       [1]   38 "lldp-tlv=                           "
Jul 14 01:00:19: RADIUS: Vendor, Cisco       [26] 25
Jul 14 01:00:19: RADIUS:   Cisco AVpair       [1]   19 "lldp-tlv=        "
Jul 14 01:00:19: RADIUS: Vendor, Cisco       [26] 30
Jul 14 01:00:19: RADIUS:   Cisco AVpair       [1]   24 "lldp-tlv=             "
Jul 14 01:00:19: RADIUS: Vendor, Cisco       [26] 23
Jul 14 01:00:19: RADIUS:   Cisco AVpair       [1]   17 "lldp-tlv=      "
Jul 14 01:00:19: RADIUS: Vendor, Cisco       [26] 28
Jul 14 01:00:19: RADIUS:   Cisco AVpair       [1]   22 "lldp-tlv=           "
Jul 14 01:00:19: RADIUS: Vendor, Cisco       [26] 27
Jul 14 01:00:19: RADIUS:   Cisco AVpair       [1]   21 "lldp-tlv=          "
Jul 14 01:00:19: RADIUS: Vendor, Cisco       [26] 24
Jul 14 01:00:19: RADIUS:   Cisco AVpair       [1]   18 "dhcp-option=    "
Jul 14 01:00:19: RADIUS: Vendor, Cisco       [26] 24
Jul 14 01:00:19: RADIUS:   Cisco AVpair       [1]   18 "dhcp-option=    "
Jul 14 01:00:19: RADIUS: Vendor, Cisco       [26] 37
Jul 14 01:00:19: RADIUS:   Cisco AVpair       [1]   31 "dhcp-option=                 "
Jul 14 01:00:19: RADIUS: Vendor, Cisco       [26] 26
Jul 14 01:00:19: RADIUS:   Cisco AVpair       [1]   20 "dhcp-option=      "
Jul 14 01:00:19: RADIUS: Vendor, Cisco       [26] 35
Jul 14 01:00:19: RADIUS:   Cisco AVpair       [1]   29 "dhcp-option=               "
Jul 14 01:00:19: RADIUS: Vendor, Cisco       [26] 33
Jul 14 01:00:19: RADIUS:   Cisco AVpair       [1]   27 "dhcp-option=             "
Jul 14 01:00:19: RADIUS: Vendor, Cisco       [26] 25
Jul 14 01:00:19: RADIUS:   Cisco AVpair       [1]   19 "dhcp-option=     "
Jul 14 01:00:19: RADIUS: Framed-IP-Address   [8]   6   10.24.88.31
Jul 14 01:00:19: RADIUS: User-Name           [1]   19 "24-D9-21-3A-C9-80"
Jul 14 01:00:19: RADIUS: Vendor, Cisco       [26] 49
Jul 14 01:00:19: RADIUS:   Cisco AVpair       [1]   43 "audit-session-id=0AF0021300002C3EDF42F9EC"
Jul 14 01:00:19: RADIUS: Vendor, Cisco       [26] 18
Jul 14 01:00:19: RADIUS:   Cisco AVpair       [1]   12 "method=mab"
Jul 14 01:00:19: RADIUS: Called-Station-Id   [30] 19 "18-E7-28-41-EB-17"
Jul 14 01:00:19: RADIUS: Calling-Station-Id [31] 19 "24-D9-21-3A-C9-80"
Jul 14 01:00:19: RADIUS: NAS-IP-Address      [4]   6   10.10.2.50
Jul 14 01:00:19: RADIUS: NAS-Port-Id         [87] 23 "GigabitEthernet1/0/23"
Jul 14 01:00:19: RADIUS: NAS-Port-Type       [61] 6   Ethernet                  [15]
Jul 14 01:00:19: RADIUS: NAS-Port            [5]   6   50123
Jul 14 01:00:19: RADIUS: Acct-Session-Id     [44] 10 "0000B8BD"
Jul 14 01:00:19: RADIUS: Class               [25] 55
Jul 14 01:00:19: RADIUS:   43 41 43 53 3A 30 41 46 30 30 32 31 33 30 30 30 [CACS:0AF00213000]
Jul 14 01:00:19: RADIUS:   30 32 43 33 45 44 46 34 32 46 39 45 43 3A 6E 61 [02C3EDF42F9EC:na]
Jul 14 01:00:19: RADIUS:   63 30 31 2F 32 38 39 30 33 39 38 30 38 2F 39 30 [c01/289039808/90]
Jul 14 01:00:19: RADIUS:   36 32 32 37 38             [ 62278]
Jul 14 01:00:19: RADIUS: Acct-Status-Type    [40] 6   Watchdog                  [3]
Jul 14 01:00:19: RADIUS: Event-Timestamp     [55] 6   1499979619
Jul 14 01:00:19: RADIUS: Acct-Input-Octets   [42] 6   27811067
Jul 14 01:00:19: RADIUS: Acct-Output-Octets [43] 6   28218116
Jul 14 01:00:19: RADIUS: Acct-Input-Packets [47] 6   125744
Jul 14 01:00:19: RADIUS: Acct-Output-Packets [48] 6   125555
Jul 14 01:00:19: RADIUS: Acct-Delay-Time     [41] 6   0
Jul 14 01:00:19: RADIUS(00000000): Sending a IPv4 Radius Packet
Jul 14 01:00:19: RADIUS(00000000): Started 10 sec timeout

marco.merlo · ‎08-19-2019

Thank you for your useful reply.

May I conclude that

aaa accounting update newinfo periodic 1440

command will send and accounting interim-update once a day and a accounting update each time newinfo is triggered in spite of the configured timer?

Actually I need to manage regular users and computers that are re-authenticate once every 10 hours and other devices that are never re authenticated (session timeout = 0)

Regards

MM

Damien Miller · ‎08-19-2019

Yes, that is exactly what the command does. Keep in mind that if you are using a load balancer then you also want your persistence value set slightly higher than the interim accounting interval. Cisco has started recommending 2880 minutes in most configuration examples but other values are still valid.

marco.merlo · ‎08-19-2019

Great Damien,
thank you very for the persistence hint!
MM

JoeyBeaudette9951 · ‎08-22-2019

From a switch-

SW1(config)#aaa account update ?
newinfo Only send accounting update records when we have new acct info.

Is there something I am missing? It would appear that using the newinfo keyword specifically does NOT send accounting records unless there is an update. This is particularly relevant for ISE.

supporto rai · ‎08-22-2019

You are right but

newinfo + periodic

on the same line will send both periodic updates and triggered ones.

Regards

MM

ajc · ‎03-02-2023

Hi Damien,

Based on your experience what would be the recommended value for a CWA Wireless Guest SSID network? I am using Meraki and ISE as Radius and looking for the best customized value. thanks

ajc · ‎04-11-2023

Hi Damien,

When we deployed F5 and ISE PSN's, we used the documentation provided by Cisco where the values were:

Source address – 180s

https_sticky – 3600s

radius_sticky – 3600s

Meraki Wireless default settings are configured as 10 minutes for interim accounting updates and I think it is too aggresive because our ISE deployment is getting hit by thousand of records every 10 min. In fact, Cisco ISE BU suggested to completely remove those updates and just rely on session timeout. I am wondering if I should adjust those F5 persistence values to something higher and the adjust accordingly the accounting interim updates as you suggested