cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
488
Views
0
Helpful
5
Replies

No ISE licenses consumed for active telnet sessions to NAC switches?

r.westman
Level 1
Level 1

Our ISE does not consume any licenses when we log in (telnet/ssh) to our NAC switches.

The switches are setup with aaa accounting start/stop config.

 

Is that a normal behavior or have we missed any special aaa accounting config?

According to a TCP dump at the ISE, start stop radius accounting message are received at the ISE server.

 

 

 

 

 

 

 

5 Replies 5

Naveen Kumar
Level 4
Level 4

Are you using the same username and password which are in ISE local database or the referred database (AD  , LDAP)?

If ISE has any rule based / simple authentication policy for user, then license should be consumed here.

Thanks for your input!

Yes, the user is in a referred AD database. We use an Authentication policy where we match on NAS-Port-Type=Virtual.

 

We currently use the follow accounting configuration:

aaa accounting update periodic 5
aaa accounting dot1x default start-stop group radius
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
aaa accounting connection default start-stop group radius
aaa accounting system default start-stop group radius

I have also seen this before. I will need to double check in the lab but I dont think the counter will increment because there is not any aaa seesion id to track that session with. Also with the service type set to login that might be why the counter may not increment.

r.westman
Level 1
Level 1

 

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: