08-18-2014 03:56 AM - edited 03-10-2019 09:56 PM
Hello,
when I authenticate an endpoint via ISE it shows as an "active endpoint".
After some time (maybe one/two hours) the endpoint is not shown as active anymore although the aaa session is still active on the switch. In ISE it shows: DISCONNECTED (No Accounting received)
I don't use reauthentication. Radius Accounting is working however. Is there an option so that the switch periodically sends a packet that the endpoint is still active? Or why does it "time out" so that the ise does not show it as active anymore?
The authentication is working all the time the problem is just that the ise shows it as not active.
08-18-2014 06:09 AM
The SNMP Trap receives information from the specific network access devices that support MAC notification, linkup, linkdown, and informs. The SNMP Trap probe receives information from the specific network access devices when ports come up or go down and endpoints disconnect from or connect to your network, which results in the information received that is not sufficient to create endpoints in Cisco ISE.
For SNMP Trap to be fully functional and create endpoints, you must enable SNMP Query so that the SNMP Query probe triggers a poll event on the particular port of the network access device when a trap is received. To make this feature fully functional you should configure the network access device and SNMP Trap.
Note Cisco ISE does not support SNMP Traps that are received from the Wireless LAN Controllers (WLCs) and Access Points (APs).
12-18-2014 07:56 AM
I've had a very similar problem before with the 3850 series. After some investigation, it seemed that the switch was not properly sending accounting information to the ISE.
In our situation it was solved by adding the command "radius-server attribute 31 send nas-port-detail" on the access switch. Perhaps worth a try.
08-18-2014 05:22 PM
Hmm, can you:
- Post your switch config
- Tell us the version of ISE and switch that you are running
08-19-2014 12:15 AM
I am using 3750-X and 2960CG with IOS 15.2(2)E.
ISE is ISE is 1.2.1.198 Patch 1.
Switchconfig:
aaa new-model
aaa group server radius ise
server-private 1.2.3.4 auth-port 1812 acct-port 1813 key 7 1234567
ip radius source-interface Vlan100
aaa authentication dot1x default group ise
aaa authorization network default group ise
aaa accounting update periodic 5 (I thought this might help!?!?)
aaa accounting dot1x default start-stop group ise
radius-server vsa send accounting
radius-server vsa send authentication
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
dot1x system-auth-control
08-19-2014 01:36 AM
Symptom:
Endpoint dashboard reset
Conditions:
1.2.1 upgrade
Workaround:
N/A
Known Affected Releases: | (1) |
08-20-2014 07:34 AM
Mohanak, thank you for sharing the bug ID, however, the bug does not have enough details to neither confirm or deny that it is in fact the cause of this issue. Is there a chance that you could provide more info/details on the bug?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: