Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

ISE: Active Endpoints reset after some time

Hello,

 

when I authenticate an endpoint via ISE it shows as an "active endpoint".

After some time (maybe one/two hours) the endpoint is not shown as active anymore although the aaa session is still active on the switch. In ISE it shows: DISCONNECTED (No Accounting received)

I don't use reauthentication. Radius Accounting is working however. Is there an option so that the switch periodically sends a packet that the endpoint is still active? Or why does it "time out" so that the ise does not show it as active anymore?

The authentication is working all the time the problem is just that the ise shows it as not active.

 

6 REPLIES
Cisco Employee

SNMP Trap ProbeThe SNMP Trap

SNMP Trap Probe

The SNMP Trap receives information from the specific network access devices that support MAC notification, linkup, linkdown, and informs. The SNMP Trap probe receives information from the specific network access devices when ports come up or go down and endpoints disconnect from or connect to your network, which results in the information received that is not sufficient to create endpoints in Cisco ISE.

For SNMP Trap to be fully functional and create endpoints, you must enable SNMP Query so that the SNMP Query probe triggers a poll event on the particular port of the network access device when a trap is received. To make this feature fully functional you should configure the network access device and SNMP Trap.


Note Cisco ISE does not support SNMP Traps that are received from the Wireless LAN Controllers (WLCs) and Access Points (APs).

New Member

I've had a very similar

I've had a very similar problem before with the 3850 series. After some investigation, it seemed that the switch was not properly sending accounting information to the ISE.

In our situation it was solved by adding the command "radius-server attribute 31 send nas-port-detail" on the access switch. Perhaps worth a try.

Cisco Employee

Hmm, can you:- Post your

Hmm, can you:

- Post your switch config

- Tell us the version of ISE and switch that you are running

Thank you for rating helpful posts!
New Member

I am using 3750-X and 2960CG

I am using 3750-X and 2960CG with IOS 15.2(2)E.

ISE is ISE is 1.2.1.198 Patch 1.

 

Switchconfig:

aaa new-model


aaa group server radius ise
 server-private 1.2.3.4 auth-port 1812 acct-port 1813 key 7 1234567
 ip radius source-interface Vlan100

aaa authentication dot1x default group ise
aaa authorization network default group ise
aaa accounting update periodic 5 (I thought this might help!?!?)
aaa accounting dot1x default start-stop group ise


radius-server vsa send accounting
radius-server vsa send authentication

radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include

dot1x system-auth-control

Cisco Employee

Dashboard Endpoint

Dashboard Endpoint Inaccuracy
CSCup21881

Symptom:
Endpoint dashboard reset

Conditions:
1.2.1 upgrade

Workaround:
N/A

Last Modified:
Jun 6,2014
Status:
Open
Severity:
4 Minor
Product:
Cisco Identity Services Engine (ISE) 3300 Series Appliances
Known Affected Releases:
(1)
1.2(1.198)
Cisco Employee

Mohanak, thank you for

Mohanak, thank you for sharing the bug ID, however, the bug does not have enough details to neither confirm or deny that it is in fact the cause of this issue. Is there a chance that you could provide more info/details on the bug?

Thank you for rating helpful posts!
607
Views
2
Helpful
6
Replies
CreatePlease to create content