Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
880
Views
15
Helpful
4
Replies

How does LiveSession tab work?

alyautdinov
Level 1
Level 1

‎02-25-2019 06:57 AM

Hello Team,

Please explain me how does LiveSession tab work?

We haven't seen existing session in this tab. But we see it in LiveLog. After re-login the session is appear again.

Some sessions have been holding in table for two or more weeks. But some sessions have cleared after a few hours.

Is it normal behaviour?

0 Helpful
4 Replies 4

Mike.Cifelli
VIP Alumni
VIP Alumni

‎02-26-2019 10:40 AM

Not sure I fully understand your question. However, here is some information that may help:
There are ways to purge endpoints in ISE. You can purge immediately, or you can configure a specific number of days when to purge items. To setup endpoint purge:
Administration->Identity Management->Settings->Endpoint Purge
Configure rules to match certain endpoint groups & select another condition such as ElapsedDays greater than XX number of days

You can configure in ISE how long to keep local logs:
To configure local log settings:
Administration->System->Logging->Local Log Settings->Set your days

The radius live sessions is a tab that will show you detailed information on all of your radius sessions. Information will/should include things such as endpoint id, session status, profile, authentication protocol, etc. You can filter the view. From this tab you can also issue CoA actions that include session termination OR session reauthentication.

HTH!


Rahul Govindan
VIP Alumni
VIP Alumni

‎02-26-2019 11:17 AM

ISE populates its Live session database from Radius Accounting Start and Stop messages. So once your network device sends the Accounting start message, it will populate shortly on the Live session tab. 

 

You could be seeing sessions that are present for longer if the network device does not send the Accounting stop message. Also, devices can send Interim Accounting messages to keep the session active. If the ISE does not receive any Interim accounting message from the network device for 5 days, it clears the session from the database. 

 

ISE 2.4 has had some issues with Live sessions populating correctly. Bug below:

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvk48315/?rfs=iqvred

alyautdinov
Level 1
Level 1
In response to Rahul Govindan

‎02-26-2019 10:48 PM

Thanks Rahul,

 

As I understood, a session in LiveSession will remove from table if Acct-Stop was sended or timeout for 5 days. Can we tune this timeout or no? And after what time NAD has send Acct-Stop command?

0 Helpful

Damien Miller
VIP Alumni
VIP Alumni
In response to alyautdinov

‎03-04-2019 07:10 PM

No, this 5 day timeout is hard coded in ISE. The NAD will send an accounting stop, assuming it is configured to send accounting updates, when the authentication session is removed. ex. The port status goes down/down when an endpoint disconnects.

There are times where the session may remain active, an example of this could be when an endpoint was connected to a phone or transparent switch. The session remains active in sh auth session, even after the endpoint is unplugged. In this cases you can leverage timers to get a more timely resolution.
0 Helpful
Customers Also Viewed These Support Documents