Accounting-Stop Same PSN for Session terminate 1.4/2.0

Scott Irey · ‎02-03-2016

Hey Folks,

When PSN receives an accouting-stop from NAD (WLC in this case) it will deactive session and free up the license.

Is this information shared in the deployment in newer ISE versions (1.4 2.0 etc.)? See a scenario lets say doing MAB only, and the initial auth session/accouting-start is on PSN1, but when client session is terminated and accouting-stop is sent to different PSN.

Is this information shared now in the deployment so the license still is freed up without having to wait the standard clearing of stale sessions.

This design is going to use LWA as well, so we do have the strict session to PSN restrictions that we would otherwise with CWA. So wanting to see if there are any other scenarios like I mention above that would require same PSNs for sessions. The PSNs will be in a node group.

I know that in older versions we had to have same PSN to properly terminate session, but has anything changed in 1.4/2.0 that could allow the session to terminate if auth and acctstop go to different PSNs?

howon · ‎02-04-2016

Scott, I am not aware of any design that would end up with RADIUS Accounting to a different PSN. This includes LWA and CWA and certainly other advanced flows.

However, to answer you question, the session is maintained on MnT node and get cleared regardless of which PSN the RADIUS Accounting stop was received.

Hosuk

Scott Irey · ‎02-04-2016

Thanks Hosuk for clarifying!

Not by design, but depending on NAD behavior (WLC in this case) with how radius failover has been handled there could be some scenarios where WLC sends accounting updates to a different PSN. Assuming customer does not want to enable LB in their DMZ, may rely on how WLC handles HA for radius.

Thanks again!