10-15-2020 07:44 AM
I am running ISE 2.2 p16.
I have a bunch of Axis security cameras, and all of them appear to be trying to reauth every minute or so. Typically, this isn't a problem, but some cameras will drop offline. I can see the following message in ISE.
FailureReason | 12929 NAS sends RADIUS accounting update messages too frequently |
Here is my switchport config...
interface GigabitEthernet2/5 switchport access vlan 42 switchport mode access switchport voice vlan 74 ip device tracking maximum 10 logging event link-status authentication control-direction in authentication event fail action next-method authentication event server dead action authorize vlan 42 authentication event server dead action authorize voice authentication event server alive action reinitialize authentication host-mode multi-auth authentication open authentication order mab dot1x authentication priority dot1x mab authentication port-control auto authentication periodic authentication timer reauthenticate server authentication violation restrict mab dot1x pae authenticator dot1x timeout quiet-period 300 dot1x timeout tx-period 10 dot1x timeout ratelimit-period 300 service-policy input QoS-Input-Policy service-policy output QoS-Host-Port-Output-Policy end
The ISE policy uses MAB and moves the endpoint to a group and changes VLAN.
Does anyone know why this is happening and how I can stop it?
10-15-2020 03:30 PM - edited 10-15-2020 03:38 PM
Do you send a customer Session-Timeout with each successful camera authentication? Perhaps you should not return a Session-Timeout value
In my case (802.1X/MAB on a Cisco 9300) I have not sent a Session-Timeout from ISE and the switch tells me:
Status: Authorized
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
There is of course still an Accounting update, which I set to 2880 minutes (2 days) so that any active session over 2 days will still send Accounting to ISE (for session keepalive)
Session timeout: N/A
Acct update timeout: 172800s (local), Remaining: 171250s
Common Session ID: 0702A8C0000001F72E4CBE3A
Acct Session ID: 0x000000c9
Handle: 0x520001ec
Current Policy: ISE_AUTH_POLICY
10-16-2020 06:12 AM
Thanks, I am currently not sending any session timeout to my security cameras, and my acct update is 7 hours. But I am seeing re-auths on these things every couple minutes. We got a login to one of the cameras and will check into it to see if its doing anything weird.
Of course, if we statically set the port without any radius config, the camera works just fine with no issues.
06-17-2024 12:47 PM
I am having a similar issue with the Axis Cameras. Did you guys find a solution to this issue?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide