This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I know this is an old ticket but i was seeing a similar issue issue turns out i had over looked the "aaa accounting update newinfo periodic 2880" line while following this guide for ISE switch setup:
CSCuh20269 WLC sends acc updates too frequently, indicates user roams to itself is the defect specifically on the WLC that is fixed in one of the 7.6 releases.
Along with the config Jatin mentioned, you may want to try pulling an Accounting report from ISE periodically and analyze the traffic/isolate the endpoints/supplicants that may be causing a lot of activity (For ex frequent IP changes ) which results in frequent accounting updates.
Escalation engineer, SAMPG | CCIE#28227
The issue is reporting to be seen on 2960 and 3560 Switches as well. Our devices would not be changing IPs enough to warrant 500 notifications a day.
I'm working a similar case where the NAD actually sent accounting messages for interfaces without dot1x enabled, but were up/up. In this case, the customer has the following in the global config
Macro auto monitor Access-session template monitor
There's some global commands required for ip dhcp snooping, so disabling them outright isn't the best solution for the time being. there's discussions about putting forward a feature to disable it on a per-port basis as this is intentional behavior apparently.
If I'm wrong about my assumption, and you don't have either of those commands in the running config, I would recommend taking a packet capture from a PSN and filter for the specific accounting messages from the switch and see if there's anything wonky on there. Example wireshark filter being 'radius.code == 4 && ip.src == 126.96.36.199'. If you're comfortable posting it up on the forums I can take a look as well.
o.k. after 2 weeks on patch 1.2.1 - it has gotten better. I hasn´t gone away completly, but under "normal" conditions it is almost gone. If for example, a building has a power failure, and 2000 devices come back online - then you still get this message. But my error messages have gone back quite alot after patch 1.2.1.
the "start-stop" records seem to be what its picking up as accounting updates. My "misconifgured devices" area had very few notices in it the other day so i waited for a new one to pop up and went into the logs and saw the only thing it was reporting was the "start and stops" of the accounting functions of the command "aaa acccounting dot1x default start-stop group ISE local" and that seems to be what it is seeings as an accounting update. I am a junior network analyst so i have not gotten approval to tinker with the settings in the switches to see if that is in fact the case. Anyone care to be the Guinea pig?
For the time being, i just went into settings and turned off that alarm.
I have the same issue on 2960S. Someone have a solution to solve the problem ?
I had "aaa accounting update periodic 15"
and it didn´t change anything.
Thanks for your help!
In my szenario it seems like its not the fault of the RADIUS server. I saw actually RADIUS accounting interim-update packets on the network. After a time i discoverd an end devices loosing its IP and sending another DHCP request all the time. This devices causes the switch to send RADIUS accounting update packets. Even when aaa accounting update was not set i saw accounting interim-update packets.
Cisco: " Even after removing the interim accounting update, the switch was sending packet as there was change in critical information (ip address/reauthentication) . This is working as design, so to change this behavior, we need to open a feature request."
So if you have the above error message, turn on tcpdump on your ise and filter for your RADIUS accounting port. Maybe you can find the source of the problem.