05-05-2014 07:26 AM - edited 03-10-2019 09:41 PM
We are currently running Cisco ISE 1.2, and every day under the "Misconfigured Network Devices" section on the main ISE Page, I have a huge list of different devices that are all being flagged with the following error message:
"12929 NAS sends RADIUS accounting update messages too frequently." " NAS sends RADIUS accounting update messages too frequently
Verify NAS configuration. Verify known NAS issues."
The list of devices seems to all be Cisco switches; albeit different models, IOS versions, ect.
i have searched on this issue, and the closest thing to a fix I can find is that it would be fixed in a WLC update, but that was 9 months ago. I would like to know what causes this issue, and what needs to be altered in ISE, or on the switches to resolve this.
Thank You.
06-15-2015 01:43 AM
Any news from TAC?
We have the same problem with ISE 1.2.0.876 and IOS 15.0(2)SE5.
Regards
Sebastian
07-10-2017 06:15 AM
Hi David,
I know this is an old ticket but i was seeing a similar issue issue turns out i had over looked the "aaa accounting update newinfo periodic 2880" line while following this guide for ISE switch setup:
https://communities.cisco.com/docs/DOC-68171
Regards
06-02-2014 11:41 PM
CSCuh20269 WLC sends acc updates too frequently, indicates user roams to itself is the defect specifically on the WLC that is fixed in one of the 7.6 releases.
Along with the config Jatin mentioned, you may want to try pulling an Accounting report from ISE periodically and analyze the traffic/isolate the endpoints/supplicants that may be causing a lot of activity (For ex frequent IP changes ) which results in frequent accounting updates.
Regards,
Gurudatt
Escalation engineer, SAMPG | CCIE#28227
Cisco systems
06-12-2014 12:46 PM
Gurudatt,
The issue is reporting to be seen on 2960 and 3560 Switches as well. Our devices would not be changing IPs enough to warrant 500 notifications a day.
06-12-2014 02:47 PM
Hey David,
I'm working a similar case where the NAD actually sent accounting messages for interfaces without dot1x enabled, but were up/up. In this case, the customer has the following in the global config
Macro auto monitor
Access-session template monitor
There's some global commands required for ip dhcp snooping, so disabling them outright isn't the best solution for the time being. there's discussions about putting forward a feature to disable it on a per-port basis as this is intentional behavior apparently.
If I'm wrong about my assumption, and you don't have either of those commands in the running config, I would recommend taking a packet capture from a PSN and filter for the specific accounting messages from the switch and see if there's anything wonky on there. Example wireshark filter being 'radius.code == 4 && ip.src == 1.2.3.4'. If you're comfortable posting it up on the forums I can take a look as well.
06-13-2014 06:27 AM
I believe this is supposed to be fixed in the 1.2.1 patch for ISE they just released.
07-09-2014 01:30 AM
I updated to 1.2.1 and the error is still alive and well ;)
07-25-2014 07:42 AM
o.k. after 2 weeks on patch 1.2.1 - it has gotten better. I hasn´t gone away completly, but under "normal" conditions it is almost gone. If for example, a building has a power failure, and 2000 devices come back online - then you still get this message. But my error messages have gone back quite alot after patch 1.2.1.
08-25-2014 06:32 AM
Hi MeMySelfundCisco,
you updated to 1.2.1 and your have alway error messages ?
Thank for your experience!
06-16-2014 09:40 AM
the "start-stop" records seem to be what its picking up as accounting updates. My "misconifgured devices" area had very few notices in it the other day so i waited for a new one to pop up and went into the logs and saw the only thing it was reporting was the "start and stops" of the accounting functions of the command "aaa acccounting dot1x default start-stop group ISE local" and that seems to be what it is seeings as an accounting update. I am a junior network analyst so i have not gotten approval to tinker with the settings in the switches to see if that is in fact the case. Anyone care to be the Guinea pig?
For the time being, i just went into settings and turned off that alarm.
07-25-2014 05:34 AM
Hey Guy,
I have the same issue on 2960S. Someone have a solution to solve the problem ?
I had "aaa accounting update periodic 15"
and it didn´t change anything.
Thanks for your help!
10-29-2015 01:43 AM
08-15-2016 12:53 PM
Newly installed ISE 2.1 with 5508's running code 8.0.133. I'm seeing the messages too.
11-22-2016 11:55 PM
Hi!
In my scenario ISE 1.4.0.253 WLC 5508 version 8.0 I´m seeing the messages too.
Thanks for updates!.
David.
08-16-2016 12:05 AM
In my szenario it seems like its not the fault of the RADIUS server. I saw actually RADIUS accounting interim-update packets on the network. After a time i discoverd an end devices loosing its IP and sending another DHCP request all the time. This devices causes the switch to send RADIUS accounting update packets. Even when aaa accounting update was not set i saw accounting interim-update packets.
Cisco: " Even after removing the interim accounting update, the switch was sending packet as there was change in critical information (ip address/reauthentication) . This is working as design, so to change this behavior, we need to open a feature request."
So if you have the above error message, turn on tcpdump on your ise and filter for your RADIUS accounting port. Maybe you can find the source of the problem.
Regards,
Sebastian
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide