Solved: Re: Misconfigured Network Device Detected

hcrtechnology · ‎02-28-2019

Looking for a wider opinion. I have several routers that I use ISE RADIUS for device management. I do not have a TACACS license. I just use ISE to login in to them. I have ISE generating misconfigured alarms for some of my routers.

I have two ASRs in the network and one constantly generates these alarms while the other one does not. They both have the same AAA config and are at the same version of code. Not understanding why one alarms and the other does not. There are a few switches that give this error as well.

TAC has told me a few things. 1) My configuration looks OK. 2) If the devices aren't on the ISE compatibility list, then I can expect these types of problems. I generally thought the compatibility list was for user auth feature/functionality, not console login compatibility. 3) I should disable these alarms because they are prone to false errors and considered unreliable. I'm really not able to get assistance to troubleshoot why the error is happening.

Has anybody else run across this error and if so, did you disable the alarm?

Alarm Name :
Misconfigured Network Device Detected

Details :
Misconfigured NAS Detected with NAS IP Address=192.168.1.1

Description :
ISE has detected misconfigured parameters on the NAS, or RADIUS accounting updates occur too frequently

Severity :
Warning

Suggested Actions :
Verify that parameters on the NAS are properly configured. Verify that the shared secret on the NAS is correct.

*** This message is generated by Cisco Identity Services Engine (ISE) ***

Regards.

Ryan

Arne Bier · ‎03-01-2019

oh yeah, this old chestnut. It has to do with the fact that the NAS sends too many Radius Accounting packets in a certain time period. it's a ridiculous message and has nothing to do with a mis-configured client.

If you take a tcpdump from ISE's perspective, then count the number of radius accounting packets that the NAS sends in a 5 min period (because ISE doesn't let you capture for longer than 5 minutes ... don't get me started on THAT!! :-)

cheers

Arne

View solution in original post

Arne Bier · ‎03-01-2019

oh yeah, this old chestnut. It has to do with the fact that the NAS sends too many Radius Accounting packets in a certain time period. it's a ridiculous message and has nothing to do with a mis-configured client.

If you take a tcpdump from ISE's perspective, then count the number of radius accounting packets that the NAS sends in a 5 min period (because ISE doesn't let you capture for longer than 5 minutes ... don't get me started on THAT!! :-)

cheers

Arne

scamarda · ‎03-04-2019

Thanks. I would like to have it stop rather than disabling the alarm.

Nayan.Patel85 · ‎05-20-2020

@Arne Bier ,

You might be right but in our case it actually impacting dot1x.

When I login and run show authentication session command on the switch

I see domain UNKNOW for all the authentication session.

and If I check radius server status on the switch it will be down.

Then as soon as I enter the radius shared secret key it works untill switch reboots (I save the configuration)

It seems happen more on Cat9200 and Cat 9300 running Fuji.

Has any one run into this before?

paul · ‎05-20-2020

The issue you are seeing has nothing to do with the misconfigured network device alarm. As has been said that is only related to accounting messages. It is our standard practice to disable that alarm and in over 100 installs I have never seen a reason to enable it. Sounds like you are running into a bug maybe. What version of code on you switches?

Nayan.Patel85 · ‎05-21-2020

Its mix on Cat 9200 - 16.12.1 and 16.11.1 on Cat 9300 - 16.9.5. this happens to all the Cat 9K switches on our network.
We have around 500 switches majority is 2960X and 3850S, we have only 8 Cat 9Ks and this "Mis Configured NAS detected alarm" comes only for these 8 Cat 9K switches.