Solved: Threshold for NAS sends RADIUS accounting update messages too frequently?

akotwica · ‎06-21-2017

Hello,

I have question regarding Alarm: Misconfigured Network Device Detected -. Reason:

NAS sends RADIUS accounting update messages too frequently

Do anyone know what is the threshold for this alert to be triggered? And if it's hardcoded (I'm suspecting this) or if we can configure this value?

Craig Hyps · ‎06-22-2017

The trigger itself is defined under the Administration > System > Settings > Protocols > RADIUS > Accounting Suppression Interval. By increasing interval, you will suppress updates if receive more than 2 in the specified window. This will reduce logs and reduce updates to MnT with the understanding that no more Accounting updates processed for that connection until interval expires. If not monitoring the specific failures, then may be good for some customers to see the total alarms.

One example is CoA failures. You expect there to be some, but in poorly configured deployments you will see hundreds or thousands, which often means that NAD not configured for CoA or with proper sources, or LB is dropping. Similarly, high drop requests often mean a NAD is not configured, or has wrong credentials.

/Craig

View solution in original post

paul · ‎06-21-2017

As far as I am concerned this message has been a false positive since the start. I have investigated this in the early days and found no issues. Now I just disable this alarm. Not sure if that is right but that is how I handle this alarm.

vibobrov · ‎06-21-2017

Yep, some of the alarms just become nuisance in most circumstances. Another example is misconfigured supplicant detected. In most large deployments, eap timeouts happen all the time and this alarm will show up thousands of times.

paul · ‎06-21-2017

In large deployments especially when emailing out alarms here is what I typically disable”

1. Misconfigured NAS

2. Misconfigured Supplicant

3. Change Notification

4. Supplicant stopped responding

5. RADIUS Request Dropped

6. CoA Failed

I know some of these may have events to look at but a lot of times they are false positives and result in too much noise.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

Craig Hyps · ‎06-22-2017

The trigger itself is defined under the Administration > System > Settings > Protocols > RADIUS > Accounting Suppression Interval. By increasing interval, you will suppress updates if receive more than 2 in the specified window. This will reduce logs and reduce updates to MnT with the understanding that no more Accounting updates processed for that connection until interval expires. If not monitoring the specific failures, then may be good for some customers to see the total alarms.

One example is CoA failures. You expect there to be some, but in poorly configured deployments you will see hundreds or thousands, which often means that NAD not configured for CoA or with proper sources, or LB is dropping. Similarly, high drop requests often mean a NAD is not configured, or has wrong credentials.

/Craig

paul · ‎06-22-2017

Craig,

Yeah CoA seems to me an interesting one in larger deployments. I have been on some very large deployments that get CoA messages quite frequently but we know everything is configured correctly. If we dig into them we can see ISE sending CoA messages to network devices that didn’t authenticate that session originally. So the network device NAKs it.

Most times I tell the customer don’t worry about the CoA messages unless you have issues where you know CoA is a definitive requirement, i.e. portal redirection, posturing, profile changes, etc. In the large installs where CoA failures were happening often, every time the CoA was needed for a legitimate requirement it worked just fine. So I always just message that CoA failure noise is going to happen. Maybe the wrong message, but that is my experience.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250