Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1932
Views
0
Helpful
7
Replies

Cisco ISE - multiple radius live log entries for same request

nathgregory
Level 1
Level 1

‎05-16-2019 11:12 AM

Hi.  I am getting a vast number of seemingly duplicate entries in the Radius Live Logs.  As far as I am aware they are all for one request, and are even if it is a pass.  See attached picture.

Any help would be appreciated.

The attached picture I have crossed out the username, but they are all identical.

Preview file
116 KB
0 Helpful
7 Replies 7

hslai
Cisco Employee
Cisco Employee

‎05-16-2019 12:58 PM

I see you have ~ 11 entries within the same second.

First, go to [ ISE admin web UI > Administration > System > Logging > Remote Logging Targets ], verify only one target enabled per M&T node.

Second, monitor the RADIUS requests from the network device by TCPDUMP or Use Re: Check logs on Cisco ISE to verify only one request sent to the ISE PSN.

If neither helps, time to open a TAC case.

0 Helpful

nathgregory
Level 1
Level 1
In response to hslai

‎05-17-2019 02:48 AM

Hi.  TCPDump shows only one Radius request being sent.

Why would it show multiple times in the logs though?

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to nathgregory

‎05-17-2019 08:16 PM

ISE is not restricting to use the same host in multiple logging targets.

If this is not your issue, please engage TAC.

0 Helpful

RaffyLindogan
Spotlight
Spotlight

‎05-16-2019 04:50 PM

Hi mate,

 

It could be that the supplicant on end device has issue.

Or if it is legit radius sessiions, then you can just suppress it by following the steps below.

 1. Go to Administration/Settings/Protocols/RADIUS

  2. Check "Suppress successful reports" 

  3. You can also check "Suppress Repeated failed clients" 

 

Note: There are variety of settings that you can choose there depending on what you want to set

 

Once you've done this, the Live Logs will only show one line for specific session and it will provide the number of repeat counts.

 

Cheers,


Raffy

 

Cheers

0 Helpful

nathgregory
Level 1
Level 1
In response to RaffyLindogan

‎05-17-2019 02:48 AM

Thanks.  Only one Radius request was sent, but it is already selected to Suppress Succcessfull Reports.  Strange.

0 Helpful

RaffyLindogan
Spotlight
Spotlight
In response to nathgregory

‎05-17-2019 05:13 AM

Hi mate,

 

if it is one endpoint/user causing that then it could be issue on supplicant.

you can update driver of supplicant.

It doesnt explain though why it would appear on separate sessions if suppression for both failed and successful connections is enabled.

 

 

cheers,

 

Raffy

0 Helpful

nathgregory
Level 1
Level 1
In response to RaffyLindogan

‎05-17-2019 05:27 AM

A packet dump confirmed only on radius request was made from the supplicant to ISE.  

I don't have the issue with other network devices though, just the 2700 autonomous Access Point.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents