No ISE licenses consumed for active telnet sessions to NAC switches?

Unanswered Question
Mar 31st, 2014
User Badges:

Our ISE does not consume any licenses when we log in (telnet/ssh) to our NAC switches.

The switches are setup with aaa accounting start/stop config.

 

Is that a normal behavior or have we missed any special aaa accounting config?

According to a TCP dump at the ISE, start stop radius accounting message are received at the ISE server.

 

 

 

 

 

 

 

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Naveen Kumar Sun, 04/06/2014 - 22:09
User Badges:
  • Silver, 250 points or more

Are you using the same username and password which are in ISE local database or the referred database (AD  , LDAP)?

Saurav Lodh Thu, 04/10/2014 - 00:59
User Badges:
  • Gold, 750 points or more

If ISE has any rule based / simple authentication policy for user, then license should be consumed here.

r.westman Thu, 04/10/2014 - 01:20
User Badges:

Thanks for your input!

Yes, the user is in a referred AD database. We use an Authentication policy where we match on NAS-Port-Type=Virtual.

 

We currently use the follow accounting configuration:

aaa accounting update periodic 5
aaa accounting dot1x default start-stop group radius
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
aaa accounting connection default start-stop group radius
aaa accounting system default start-stop group radius

Tarik Admani Fri, 04/11/2014 - 23:24
User Badges:
  • Green, 3000 points or more
I have also seen this before. I will need to double check in the lab but I dont think the counter will increment because there is not any aaa seesion id to track that session with. Also with the service type set to login that might be why the counter may not increment.

Actions

This Discussion