cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
107
Views
0
Helpful
1
Replies
Beginner

ISE keeps aaa session in authenticated state while NAD has already closed

Hi, 

We are facing a strange behaviour with an ISE installation: 

We have a wireless CWA configuration and when for any circumstances the client is redirected to the login page and abandons the session or even only disconnects, the WLC correctly terminates the session but ISE still keeps the session in its table in the state "authenticated". We have to manually terminate the session on ISE for redirect to work again. On WLC the client session is no longer present. 

The WLC is a 5520 running 8.3MR1 and is in an anchor-foreign installation. Accounting is set to ISE servers and enabled on foreign only and the SSID is set to default session timeout value (1800s). ISE is running on 2.1 patch 1. CWA policy checks for SSID and if MAB was used, no session timeout from RADIUS server set, so I assume default timers here. 

Can someone explain this behaviour? I would expect the WLC to update the ISE on clients that have closed their connection and therefore the session was cleared on WLC so the ISE could also clear the session. 

Best regards

1 REPLY 1
Cisco Employee

hello, 

hello, 

i would like first to check the compatibility between ISE and wlc:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/compatibility/ise_sdt.html#24274

try to double check if the WLC sends the radius-accounting message after user logs out, we can do packet captures for this:

from ISE webpage go to operation >troublshooting > diagnostic tools > tcp dump 

 i will be waiting for your update