cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

13665
Views
14
Helpful
37
Replies
Highlighted
Beginner

Any news from TAC?We have the

Any news from TAC?

We have the same problem with ISE 1.2.0.876 and IOS 15.0(2)SE5.

Regards

Sebastian

 

 

Highlighted
Beginner

Hi David,

Hi David,

I know this is an old ticket but i was seeing a similar issue issue turns out i had over looked the "aaa accounting update newinfo periodic 2880" line while following this guide for ISE switch setup:

https://communities.cisco.com/docs/DOC-68171

Regards

Highlighted
Cisco Employee

  CSCuh20269    WLC sends acc

 

 CSCuh20269    WLC sends acc updates too frequently, indicates user roams to itself  is the defect specifically on the WLC that is fixed in one of the 7.6 releases.

 

Along with the config Jatin mentioned, you may want to try pulling an Accounting report from ISE periodically and analyze the traffic/isolate the endpoints/supplicants that may be causing  a lot of activity (For ex frequent IP changes ) which results in frequent accounting updates.

 

Regards,

Gurudatt

Escalation engineer, SAMPG | CCIE#28227

Cisco systems

Highlighted
Beginner

Gurudatt,  The issue is

Gurudatt, 

 

The issue is reporting to be seen on 2960 and 3560 Switches as well.   Our devices would not be changing IPs enough to warrant 500 notifications a day.

 

 

Highlighted
Cisco Employee

Hey David,

Hey David,

 

I'm working a similar case where the NAD actually sent accounting messages for interfaces without dot1x enabled, but were up/up. In this case, the customer has the following in the global config

Macro auto monitor
Access-session template monitor

There's some global commands required for ip dhcp snooping, so disabling them outright isn't the best solution for the time being. there's discussions about putting forward a feature to disable it on a per-port basis as this is intentional behavior apparently.

 

If I'm wrong about my assumption, and you don't have either of those commands in the running config, I would recommend taking a packet capture from a PSN and filter for the specific accounting messages from the switch and see if there's anything wonky on there. Example wireshark filter being 'radius.code == 4 && ip.src == 1.2.3.4'. If you're comfortable posting it up on the forums I can take a look as well.

Highlighted

I believe this is supposed to

I believe this is supposed to be fixed in the 1.2.1 patch for ISE they just released.

Highlighted

I updated to 1.2.1 and the

I updated to 1.2.1 and the error is still alive and well ;) 

 

 

Highlighted

o.k. after 2 weeks on patch 1

o.k. after 2 weeks on patch 1.2.1 - it has gotten better. I hasn´t gone away completly, but under "normal" conditions it is almost gone. If for example, a building has a power failure, and 2000 devices come back online - then you still get this message. But my error messages have gone back quite alot after patch 1.2.1. 

 

Highlighted
Beginner

Hi MeMySelfundCisco, you

Hi MeMySelfundCisco,

 

you updated to 1.2.1 and your have alway error messages ?

 

Thank for your experience!

 

Highlighted

the "start-stop" records seem

the "start-stop" records seem to be what its picking up as accounting updates. My "misconifgured devices" area had very few notices in it the other day so i waited for a new one to pop up and went into the logs and saw the only thing it was reporting was the "start and stops" of the accounting functions of the command "aaa acccounting dot1x default start-stop group ISE local"  and that seems to be what it is seeings as an accounting update. I am a junior network analyst so i have not gotten approval to tinker with the settings in the switches to see if that is in fact the case. Anyone care to be the Guinea pig?

For the time being, i just went into settings and turned off that alarm.

Highlighted
Beginner

Hey Guy,I have the same issue

Hey Guy,

I have the same issue on 2960S. Someone have a solution to solve the problem ?

I had "aaa accounting update periodic 15"

and it didn´t change anything.

 

Thanks for your help!

Highlighted
Beginner

we're runnning ISE 1.3 and

we're runnning ISE 1.3 and WLC 8.0.120.0 and I still get those messages....
Highlighted
Beginner

Newly installed ISE 2.1 with

Newly installed ISE 2.1 with 5508's running code 8.0.133. I'm seeing the messages too.

Highlighted

Hi!

Hi!

In my scenario ISE 1.4.0.253 WLC 5508  version 8.0 I´m seeing the messages too.

Thanks for updates!.

David.

Highlighted
Beginner

In my szenario it seems like

In my szenario it seems like its not the fault of the RADIUS server. I saw actually RADIUS accounting interim-update packets on the network. After a time i discoverd an end devices loosing its IP and sending another DHCP request all the time. This devices causes the switch to send RADIUS accounting update packets. Even when aaa accounting update was not set i saw accounting interim-update packets.

Cisco: " Even after removing the interim accounting update, the switch was sending packet as there was change in critical information (ip address/reauthentication) . This is working as design, so to change this behavior, we need to open a feature request."

So if you have the above error message, turn on tcpdump on your ise and filter for your RADIUS accounting port. Maybe you can find the source of the problem.

Regards,

Sebastian