Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4886
Views
11
Helpful
6
Replies

ISE Alarm : Warning : No Authentications in the last 15 minutes

Go to solution
pnowikow
Level 1
Level 1

‎12-20-2019 08:07 AM

Good morning everyone.  Has anyone seen this or know how to fix it?  I'm running 2.3 and plan to upgrade to 2.6 in early January but these emails have to be wrong since we have over 100 NADs in the environment now running ISE.

 

Alarm Name : 
ISE Authentication Inactivity

Details : 
No Authentications in the last 15 minutes

Description : 
The ISE Policy Service nodes are not receiving Authentication requests from the Network Devices

Severity : 
Warning

Suggested Actions : 
Check the ISE/NAD configuration, check the network connectivity of the ISE/NAD infrastructure.

*** This message is generated by Cisco Identity Services Engine (ISE) ***

Sent By Host : XXXXX

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎12-20-2019 08:29 AM

This alarm is triggered when an ISE PSN node doesn't receive a RADIUS auth over a period of 15 minutes. This would be common if you use one ISE server as primary, and another as secondary everywhere. The secondary might see no authentication and then trigger this alarm. The other option is in TACACS only deployment, if there is no RADIUS, then the nodes will trigger this alarm. In TACACS only deployments I just turn this alarm off.

What andrewswanson also pointed at was the chance of a deployment bug also causing this. If you know that the node generating this alarm is in fact receiving RADIUS auth, then an issue collecting or processing the logs will also cause this to trigger. Patching, then TAC would be your two options at that point.

View solution in original post

6 Replies 6

Go to solution
andrewswanson
Level 7
Level 7

‎12-20-2019 08:12 AM

Hi

You could be running into the bug below:

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuz52877/?rfs=iqvred

 

it is listed as fixed with 2.3 patch 6

 

hth

Andy

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎12-20-2019 08:29 AM

This alarm is triggered when an ISE PSN node doesn't receive a RADIUS auth over a period of 15 minutes. This would be common if you use one ISE server as primary, and another as secondary everywhere. The secondary might see no authentication and then trigger this alarm. The other option is in TACACS only deployment, if there is no RADIUS, then the nodes will trigger this alarm. In TACACS only deployments I just turn this alarm off.

What andrewswanson also pointed at was the chance of a deployment bug also causing this. If you know that the node generating this alarm is in fact receiving RADIUS auth, then an issue collecting or processing the logs will also cause this to trigger. Patching, then TAC would be your two options at that point.

Go to solution
stayd
Level 1
Level 1
In response to Damien Miller

‎11-24-2023 11:59 AM

Hi Damien, what if I do not want to turn off this alarm completly, but I would like to extend the interval of monitoring from default settings of 15 minutes to my own interval, let´s say 60 minutes instead of 15 minutes.

I did not find the way how to set this, because when I am looking on the option of the triggering this alarm, I am lost, look at this yourself:

stayd_0-1700855928750.png

???

0 Helpful

Go to solution
Kacker
Level 1
Level 1

‎09-15-2023 10:42 AM

What is the solution for the primary/secondary trigger? Do you also suggest disabling the alarm from the secondary, or is there a best-practice for configuring the secondary for RADIUS auth?

0 Helpful

Go to solution
Sergio C
Level 1
Level 1

‎12-21-2023 12:31 AM

Hello all. I have this issue myself (as during the nights there are low to no authentications) and wanted to change the window to 30/60 minutes. When I try it it says that the Threshold is invalid as it is negative.

SergioC_0-1703147441096.png

I imagine that if I put a valid value there (0) it will not work correctly, as it should be something like 5 and Lesser than instead of Greather than.

 

0 Helpful

Go to solution
stayd
Level 1
Level 1
In response to Sergio C

‎01-06-2024 04:24 AM - edited ‎01-07-2024 04:58 AM

Yes this is not well documented. Nobody (excluding Cisco itself) knows what these values stand for.

0 Helpful
Customers Also Viewed These Support Documents