cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
936
Views
5
Helpful
4
Replies

No Authentications in the last 15 minutes

dgaikwad
Contributor
Contributor

Hi Experts,

I am seeing this error being reported for every 15 minutes.
And clicking on details button is greyed out.
Currently running ISE 2.7 with patch 3.

Is there any ways to suppress this message?
It does seem to be reported for 2.7 as a bug, and patch fix is not listed: Cisco Bug: CSCvw21033 - ENH: ISE: "ISE Authentication Inactivity" alarm - no details available

Any suggestions.

1 Accepted Solution

Accepted Solutions

While the alarm doesn't have anything to indicate it, this is per node. There are a couple enhancement requests to improve it, but alas it's still a general alarm for now. Given that all of your authentication is being directed at one node, the second one is likely throwing this alarm accurately. 

I would suggest splitting your load 50/50, no reason to make a single node process all requests. 

There are scenarios where the alarm occurs because of log ingestion issues, but those are not very common. 

View solution in original post

4 Replies 4

Octavian Szolga
Enthusiast
Enthusiast

Hi,

 

The alarm is pretty obvious. Because ISE is basically a RAIDUS server used for wired/wifi (MAB/802.1x) or VPN (pure RADIUS) environments, it raises an alarm when it's not used, because it's considered unusual. A network that uses ISE for all 3 network connectivity options (wired/wifi/VPN) should almost always send to ISE some auth requests.

 

If your network is not that noisy, you can disable the alarm itself from Administration > System Settings > Alarm Settings >

ISE Authentication Inactivity.
 
BR,
Octavian

thomas
Cisco Employee
Cisco Employee

If you are testing ISE in a lab, this can be quite normal because you may only have a few devices connecting infrequently.

However, depending on your configured session timeouts, for almost all production networks with more than few hundred endpoints, it should be extremely alarming (literally) not to see one single authentication for 15 minutes. This would indicate an anomalous lack of endpoint authentication requests coming into ISE which means something is likely to be down or misconfigured.

You provided no details about your actual request traffic or patterns to confirm or deny which is happening.

If you are getting this alarm and do have one or more requests every 15 minutes, call TAC and file a bug.

 

dgaikwad
Contributor
Contributor

All the wireless traffic is being sent to just one SSID and this SSID has the two PSNs configured for it.
Seems that only one PSN receiving the RADIUS traffic and this alarm being generated.

While the alarm doesn't have anything to indicate it, this is per node. There are a couple enhancement requests to improve it, but alas it's still a general alarm for now. Given that all of your authentication is being directed at one node, the second one is likely throwing this alarm accurately. 

I would suggest splitting your load 50/50, no reason to make a single node process all requests. 

There are scenarios where the alarm occurs because of log ingestion issues, but those are not very common. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers