Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2420
Views
0
Helpful
3
Replies

Axis security cameras on ISE, authenticating too often

Josh Morris
Level 3
Level 3

‎10-15-2020 07:44 AM

I am running ISE 2.2 p16.

 

I have a bunch of Axis security cameras, and all of them appear to be trying to reauth every minute or so. Typically, this isn't a problem, but some cameras will drop offline. I can see the following message in ISE.

FailureReason

12929 NAS sends RADIUS accounting update messages too frequently

Here is my switchport config...

interface GigabitEthernet2/5
 switchport access vlan 42
 switchport mode access
 switchport voice vlan 74
 ip device tracking maximum 10
 logging event link-status
 authentication control-direction in
 authentication event fail action next-method
 authentication event server dead action authorize vlan 42
 authentication event server dead action authorize voice
 authentication event server alive action reinitialize 
 authentication host-mode multi-auth
 authentication open
 authentication order mab dot1x
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication violation restrict
 mab
 dot1x pae authenticator
 dot1x timeout quiet-period 300
 dot1x timeout tx-period 10
 dot1x timeout ratelimit-period 300
 service-policy input QoS-Input-Policy
 service-policy output QoS-Host-Port-Output-Policy
end

The ISE policy uses MAB and moves the endpoint to a group and changes VLAN. 

 

Does anyone know why this is happening and how I can stop it?

 

0 Helpful
3 Replies 3

Arne Bier
VIP
VIP

‎10-15-2020 03:30 PM - edited ‎10-15-2020 03:38 PM

Do you send a customer Session-Timeout with each successful camera authentication? Perhaps you should not return a Session-Timeout value

 

In my case (802.1X/MAB on a Cisco 9300) I have not sent a Session-Timeout from ISE and the switch tells me:

 

Status: Authorized
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A

 

There is of course still an Accounting update, which I set to 2880 minutes (2 days) so that any active session over 2 days will still send Accounting to ISE (for session keepalive)

 

Session timeout: N/A
Acct update timeout: 172800s (local), Remaining: 171250s
Common Session ID: 0702A8C0000001F72E4CBE3A
Acct Session ID: 0x000000c9
Handle: 0x520001ec
Current Policy: ISE_AUTH_POLICY

0 Helpful

Josh Morris
Level 3
Level 3
In response to Arne Bier

‎10-16-2020 06:12 AM

Thanks, I am currently not sending any session timeout to my security cameras, and my acct update is 7 hours. But I am seeing re-auths on these things every couple minutes. We got a login to one of the cameras and will check into it to see if its doing anything weird.

 

Of course, if we statically set the port without any radius config, the camera works just fine with no issues. 

0 Helpful

hogoqo
Level 1
Level 1

‎06-17-2024 12:47 PM

I am having a similar issue with the Axis Cameras. Did you guys find a solution to this issue?

0 Helpful
Customers Also Viewed These Support Documents