I don’t see any RADIUS Accounting requests from the NAD. Check the NAD config and ensure you send Accounting to ISE. Without Accounting, there is no licence control mechanism.

Hi 

yes i do tcpdump and i have the result in the screenshot 

 

You can see device configuration with accounting

version 17.3
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform punt-keepalive disable-kernel-core
!

!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 9 $9$/SXYyWMrxWN3TU$glftNzRHsEHttBKGbJAWNuoESG1MReBBS/IL/8xplaE
!
!
!
!
aaa new-model
!
!
aaa group server radius ise
server name ISEACEP
ip radius source-interface Vlan 22
!
aaa authentication dot1x default group ise
aaa authorization network default group ise
aaa accounting update newinfo periodic 2880
aaa accounting identity default start-stop group ise
!
!
!
!
!
aaa server radius dynamic-author
client 192.168.10.50 server-key acep
!
aaa session-id common
switch 1 provision c9200l-48p-4g
!
!
!
!
!
device-sensor filter-list dhcp list DHCP-LIST
option name host-name
option name requested-address
option name parameter-request-list
option name class-identifier
option name client-identifier
!
device-sensor filter-list lldp list LLDP-LIST
tlv name system-name
tlv name system-description
tlv name system-capabilities
!
device-sensor filter-list cdp list CDP-LIST
tlv name device-name
tlv name address-type
tlv name capabilities-type
tlv name version-type
tlv name platform-type
device-sensor filter-spec dhcp include list DHCP-LIST
device-sensor filter-spec lldp include list LLDP-LIST
device-sensor filter-spec cdp include list CDP-LIST
device-sensor notify all-changes
!
!
!
!
!
!
no ip domain lookup
ip domain name acep-bf.com
!
!
!
login on-success log
access-session attributes filter-list list Def_Acct_list
access-session accounting attributes filter-spec include list Def_Acct_list
access-session mac-move deny
access-session acl default passthrough
no device-tracking logging theft
device-tracking policy IPDT_POLICY
no protocol udp
tracking enable
!
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
crypto pki trustpoint TP-self-signed-987440204
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-987440204
revocation-check none
rsakeypair TP-self-signed-987440204
!
!
crypto pki certificate chain SLA-TrustPoint
certificate ca 01
30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363
6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934
3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305
43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720
526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030
82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D
CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520
1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE
4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC
7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188
68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7
C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191
C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44
DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201
06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85
4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500
03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905
604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B
D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8
467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C
7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B
5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678
80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB
418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0
D697DF7F 28
quit
crypto pki certificate chain TP-self-signed-987440204
certificate self-signed 01
3082032E 30820216 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 39383734 34303230 34301E17 0D323431 31303731 38313935
335A170D 33343131 30373138 31393533 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3938 37343430
32303430 82012230 0D06092A 864886F7 0D010101 05000382 010F0030 82010A02
82010100 A5D1A0C4 E7500C57 2E12E1D4 83D77751 1A61C84D 09C52276 F35C7511
513CFDFE 1833B902 3EE2B117 7F7E7C3F 3B6E0AFB A8BFF0C5 33F19A2B 90F81F78
7817C6D9 B3C4AF35 4E4D5332 3EC4B7FA E1FAF7DE 31D95594 7B643FAC ACDBC572
1C5CC780 0DFCB020 CB3A0B26 0CA3B0AB E9A26C65 D3741FBD E08F0FFE 084CCDB8
84993D14 D99B7C46 8EE32574 9D6DED2C F63843E0 B4B3956D FA7F3E18 CA726D80
3BBE9B1A CA77C6DE AB8D321E 25E1AE36 00F707C4 CA90E2CA 50E21314 613AA891
A3DFC7DF 1DC78898 D9FEB394 B319675E 25FE8A3B 588A36E2 E084BD75 1D6A595F
2EB7C1B9 0135A41A EBBC68BC 5E4DDEDA BD532146 FF61289A 0CF69D04 AACA1979
AF66B9FF 02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F
0603551D 23041830 16801444 B061720B 6A7F027C 7E435FDE E34BC20D 8B822A30
1D060355 1D0E0416 041444B0 61720B6A 7F027C7E 435FDEE3 4BC20D8B 822A300D
06092A86 4886F70D 01010505 00038201 01008B85 F9C9BC32 01B67519 BC3D08A8
C3068D11 47EA34E2 C8B9AE4B B584CE4E CBA6DF01 B4A10CB5 D89713D0 6F0F32C1
61D5D285 B4BE2853 D4829F8C 275F147C EABBAB3E 410F4887 FB8E5B68 F9629631
E5342184 0A599E14 48B600A4 74299BDA 9282B152 9B154EFD 7272B8FB 825CFC72
BC83B528 29BFBA83 8B4A5272 FF866326 37AB0081 8CF2383E 382010EB 093CFDE3
97E610BE 6134F4AE 0E05FBD0 29005938 73C9FB18 F50B0E27 9952CF94 8991BB13
F58587A5 D1A7A6FC BE82F904 DC93864D EA9FA551 65D657F9 91BBFC92 20351263
780F143B 565C7FD1 DBD685BC FC2A9C5E C9B26C74 32C8918F 19DD880C 0EEDA0DD
0A8FD16D 164C768A 34D68020 DD752A18 3402
quit
!
service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE
linksec policy must-secure
service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
linksec policy should-secure
service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
voice vlan
service-template DEFAULT_CRITICAL_DATA_TEMPLATE
service-template webauth-global-inactive
inactivity-timer 3600
dot1x system-auth-control
dot1x critical eapol
license boot level network-essentials addon dna-essentials
!
!
diagnostic bootup level minimal
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
memory free low-watermark processor 10298
!
username Netacep privilege 15 secret 9 $9$AjKgVG00.nrI8.$/6bzxbT1kIymArs0MNC6LQpL3S/D/0VOcRjA3B1R/9Y

!
redundancy
mode sso
!
!
transceiver type all
monitoring
!
!
!
class-map match-any system-cpp-police-ewlc-control
description EWLC Control
class-map match-any system-cpp-police-topology-control
description Topology control
class-map match-any system-cpp-police-sw-forward
description Sw forwarding, L2 LVX data packets, LOGGING, Transit Traffic
class-map match-any system-cpp-default
description EWLC data, Inter FED Traffic
class-map match-any system-cpp-police-sys-data
description Openflow, Exception, EGR Exception, NFL Sampled Data, RPF Failed
class-map match-any system-cpp-police-punt-webauth
description Punt Webauth
class-map match-any system-cpp-police-l2lvx-control
description L2 LVX control packets
class-map match-any system-cpp-police-forus
description Forus Address resolution and Forus traffic
class-map match-any system-cpp-police-multicast-end-station
description MCAST END STATION
class-map match-any system-cpp-police-high-rate-app
description High Rate Applications
class-map match-any system-cpp-police-multicast
description MCAST Data
class-map match-any system-cpp-police-l2-control
description L2 control
class-map match-any system-cpp-police-dot1x-auth
description DOT1X Auth
class-map match-any system-cpp-police-data
description ICMP redirect, ICMP_GEN and BROADCAST
class-map match-any system-cpp-police-stackwise-virt-control
description Stackwise Virtual OOB
class-map match-any non-client-nrt-class
class-map match-any system-cpp-police-routing-control
description Routing control and Low Latency
class-map match-any system-cpp-police-protocol-snooping
description Protocol snooping
class-map match-any system-cpp-police-dhcp-snooping
description DHCP snooping
class-map match-any system-cpp-police-ios-routing
description L2 control, Topology control, Routing control, Low Latency
class-map match-any system-cpp-police-system-critical
description System Critical and Gold Pkt
class-map match-any system-cpp-police-ios-feature
description ICMPGEN,BROADCAST,ICMP,L2LVXCntrl,ProtoSnoop,PuntWebauth,MCASTData,Transit,DOT1XAuth,Swfwd,LOGGING,L2LVXData,ForusTraffic,ForusARP,McastEndStn,Openflow,Exception,EGRExcption,NflSampled,RpfFailed
!
policy-map system-cpp-policy
!
!
!
!
!
!
!
!
!
!
!
!
!
!

!
interface GigabitEthernet1/0/11
switchport access vlan 30
switchport mode access
device-tracking attach-policy IPDT_POLICY
ip access-group IPV4_PRE_AUTH_ACL in
authentication periodic
authentication timer reauthenticate server
access-session control-direction in
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-reauth-req 3
spanning-tree portfast
!
interface GigabitEthernet1/0/12
switchport access vlan 10
switchport mode access
device-tracking attach-policy IPDT_POLICY
ip access-group IPV4_AUTH_ACL in
authentication periodic
authentication timer reauthenticate server
access-session control-direction in
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-reauth-req 3
spanning-tree portfast
!

!
interface GigabitEthernet1/0/48
description TRUNK-
switchport mode trunk
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface Vlan1
no ip address
!
interface Vlan22
ip address dhcp
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http secure-active-session-modules none
ip http active-session-modules none
ip ssh version 2
no ip ssh server authenticate user keyboard
!
!
ip access-list extended ACL_WEBAUTH_REDIRECT
10 permit tcp any any eq www
20 permit tcp any any eq 443
ip access-list extended BLOCKHOLE
10 permit tcp any any eq www
20 permit tcp any any eq 443
ip access-list extended IPV4_CRITICAL_ACL
10 permit ip any any
ip access-list extended IPV4_PRE_AUTH_ACL
10 permit udp any eq bootpc any eq bootps
20 permit udp any any eq domain
30 deny ip any any
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail mac-only
radius-server dead-criteria time 10 tries 3
!
radius server ISEACEP
address ipv4 192.168.10.50 auth-port 1812 acct-port 1813
automate-tester username test.acep ignore-acct-port probe-on
key acep
!
!
!
control-plane
service-policy input system-cpp-policy
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
transport input ssh
line vty 5 15
transport input ssh
!
c
!
end

I do t see any Accounting Requests in your screenshots.

You won’t see any accounting request after using the “test aaa” command. The switch does not create a session for that test. But for your access sessions, you should see accounting.

What sessions are active on the switch?
“show access-sessions”
“show access-sessions interface gig 1/0/1 detail”

Check RADIUS counters
“show aaa servers”

Are you allowing UDP/1813 from switch to ISE (no firewall blocking?)
The switch config looks good. If you followed the Cisco Wired Prescriptive Guide, you should be on the right path.

Failing all that ... There is a possibility that the IOS-XE 17.3 is buggy. Have you tried 17.12.4 (I think that is the current gold star release)

Hi see below 

sh aaa servers

sh access session

Can i have the link of the Cisco Wired Prescriptive Guide?

Hello

Wow. The “show aaa servers” tells us that the switch is unable to communicate successfully with ISE ("state current DEAD"). The state should be "UP". If the RADIUS server state is dead, then it also explains why your sessions are "Unauthd" (unauthenticated).
Fix the RADIUS server communications, and then go again.
The Wired Prescriptive Guide is the link that Thomas Howard sent, around the 2nd of December. It will also explain what the switch should do when the RADIUS server is unreachable. In IBNS 2.0 you can handle this Critical Auth situation. It should be a rare situation (if you have listed multiple servers) but it should be part of your failure handling.

I don't understand why the "show aaa servers" shows DEAD but your wireshark shows access requests and access accepts. Perhaps your switch RADIUS probes are not working as expected. Those probes come into effect during idle periods.

Go through the guide from Thomas and check everything.