Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
359
Views
0
Helpful
1
Replies

ISE keeps aaa session in authenticated state while NAD has already closed

smartcare.de
Level 1
Level 1

‎11-16-2016 04:24 PM - edited ‎03-11-2019 12:14 AM

Hi, 

We are facing a strange behaviour with an ISE installation: 

We have a wireless CWA configuration and when for any circumstances the client is redirected to the login page and abandons the session or even only disconnects, the WLC correctly terminates the session but ISE still keeps the session in its table in the state "authenticated". We have to manually terminate the session on ISE for redirect to work again. On WLC the client session is no longer present. 

The WLC is a 5520 running 8.3MR1 and is in an anchor-foreign installation. Accounting is set to ISE servers and enabled on foreign only and the SSID is set to default session timeout value (1800s). ISE is running on 2.1 patch 1. CWA policy checks for SSID and if MAB was used, no session timeout from RADIUS server set, so I assume default timers here. 

Can someone explain this behaviour? I would expect the WLC to update the ISE on clients that have closed their connection and therefore the session was cleared on WLC so the ISE could also clear the session. 

Best regards

Labels:
0 Helpful
1 Reply 1

yalbikaw
Cisco Employee
Cisco Employee

‎11-26-2016 05:38 AM

hello, 

i would like first to check the compatibility between ISE and wlc:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/compatibility/ise_sdt.html#24274

try to double check if the WLC sends the radius-accounting message after user logs out, we can do packet captures for this:

from ISE webpage go to operation >troublshooting > diagnostic tools > tcp dump 

 i will be waiting for your update 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents