CR-2026-04-02: Enable RADIUS Accounting Interim Updates on 9800 WLC
1. Change Summary
| Field | Value |
|---|---|
CR ID |
CR-2026-04-02-001 |
Date |
2026-04-02 |
Priority |
P3: Standard |
Type |
Configuration |
Status |
Implemented |
Requestor |
Evan Rosado |
Implementor |
Evan Rosado |
2. Objective
Enable RADIUS accounting interim updates on WLC wireless policy profiles so ISE DataConnect reports contain packet/byte counters for wireless sessions. Without this, wireless sessions show 0 packets/bytes because the WLC only sends Start and Stop records — no interim updates during the session.
3. Justification
While testing netapi ise dc query --file active-sessions, wireless sessions on the 9800 WLC returned input_packets: 0, output_packets: 0, total_mb: 0 despite active traffic. Wired sessions on the 3560CX showed correct counters (4.8TB, 69M packets). Root cause: accounting-interim was not enabled on the wireless policy profiles.
4. Current State vs Target State
| Component | Current (Before) | Target (After) |
|---|---|---|
POLICY-DOMUS_SECURE |
No accounting-interim — only Start/Stop records sent to ISE |
|
POLICY-DOMUS_IoT |
No accounting-interim |
|
5. Scope
5.1. In Scope
-
Enable
accounting-interimon POLICY-DOMUS_SECURE -
Enable
accounting-interimon POLICY-DOMUS_IoT -
Both on Home-9800-WLC (10.50.1.40)
5.2. Out of Scope
-
default-policy-profile (not in active use)
-
CHLA WLC configuration (separate change)
6. Implementation Plan
6.1. Pre-Change Verification
show wireless profile policy detailed POLICY-DOMUS_SECURE | include account
show wireless profile policy detailed POLICY-DOMUS_IoT | include account
show run | include interim6.2. Step 1: Enable on POLICY-DOMUS_SECURE
| Requires policy shutdown. Wireless clients on this policy will disconnect briefly. |
configure terminal
wireless profile policy POLICY-DOMUS_SECURE
shutdown
accounting-interim
no shutdown
end
write memory6.3. Step 2: Enable on POLICY-DOMUS_IoT
configure terminal
wireless profile policy POLICY-DOMUS_IoT
shutdown
accounting-interim
no shutdown
end
write memory6.4. Post-Change Verification
show run | include interim
show wireless profile policy detailed POLICY-DOMUS_SECURE | include account# Verify in ISE DataConnect (wait ~60 min for first interim update)
netapi ise dc --format json query --file active-sessions | jq '.[] | select(.mac_address == "70:15:FB:F8:47:EC") | {packets: .total_packets, mb: .total_mb, updates: .update_count}'7. Rollback Plan
configure terminal
wireless profile policy POLICY-DOMUS_SECURE
shutdown
no accounting-interim
no shutdown
end
configure terminal
wireless profile policy POLICY-DOMUS_IoT
shutdown
no accounting-interim
no shutdown
end
write memory8. Risk Assessment
| Risk | Likelihood | Impact | Mitigation |
|---|---|---|---|
Wireless clients disconnect during shutdown |
Certain |
Low (2-5 seconds) |
Performed during low-usage period (6 AM home lab) |
Increased RADIUS traffic |
Low |
Low |
Interim updates are lightweight; home lab has <10 wireless clients |
9. Communication
| Audience | Timing | Method |
|---|---|---|
Self (home lab) |
During change |
Console monitoring |
10. Post-Implementation Review
Change successful: [x] Yes
Unexpected outcomes: Wireless clients reconnected within 3 seconds. No authentication failures.
Lessons learned: 9800 WLC requires shutdown before modifying accounting-interim. Command takes no interval argument — the interval is determined by the RADIUS server or defaults to the WLC’s internal setting.