Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10776
Views
10
Helpful
6
Replies

ISE 2.1 - 12929 NAS sends RADIUS accounting update messages too frequently

Go to solution
N3t W0rK3r
Level 3
Level 3

‎01-19-2018 10:13 AM - edited ‎02-21-2020 10:43 AM

Our ISE server is alarming with the above error message for radius messages coming from our WLC.  The WLC is a 5520 running 8.2.166.0 code.

 

In the WLC GUI,  I reviewed the AAA settings on one of popular SSIDs and I saw that the interim update was enabled and the interval was set to 0 originally.  Not sure what a zero value means in this context or even what the unit of measure is for that field since its not displayed, but we decided to change it to the apparent default of 600 secs.  This did not seem to have an impact on the alarm reported in ISE.

 

Sample ISE alarm contains following details:

 

Message: NAS conducted several failed authentications of the same scenario

Failure count: 24133

Failure Duration: 889:09:57

Failure Reason: 12929 NAS sends RADIUS accounting update messages too frequently

 

Question is, is this normal?  That count and duration seems quite high.  Is this a bug?  Should I even have interim updates enabled on the WLAN? What is the implication of disabling it?  Not really sure where to go from here, so I'm looking for guidance from the community here.

 

Thanks in advance.

 

John

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP
In response to N3t W0rK3r

‎01-21-2018 04:40 PM

I have been through the mill on this topic as well and never got a really clear answer from Cisco.  To give you an example, on a network of say 5 active guest devices I was getting the same errors as you.  There is no way that I was getting many accounting messages because interim update was set to 0.  I think there is an integration timer and if more than x number of messages are seen in time y then ISE starts to panic and complain about it.  The values of x and y are probably not sensibly set by default.

 

Have a look at this thread over in the ISE Community sister forum

https://communities.cisco.com/thread/85221

 

View solution in original post

6 Replies 6

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎01-19-2018 10:37 AM

Hi,

The message 'NAS sends RADIUS accounting update messages too frequently'
can be caused for too many reasons such as flapping port, Open SSID, etc.
In your case its failed authentications. You need to look at the syslogs
generated from WLC related to dot1x authentication and see why you are
having too many authentication failures. It can be a miss configured client
which is usually the case.

Now the implications that this increases the size of MNT database due to
large amount of accounting logs. Also, in some instances it can cause high
cpu in MNT and if its hosted with PAN, then it can be an issue.

One option can be useful here is radius accounting suppression

Go to solution
N3t W0rK3r
Level 3
Level 3
In response to Mohammed al Baqari

‎01-19-2018 10:50 AM

Thank you Mohammed.

 

Can you please expand on what you mean by radius accounting suppression?  Are you suggesting that I actually disable accounting on the SSID?

 

Thanks.

 

John

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to N3t W0rK3r

‎01-21-2018 04:40 PM

I have been through the mill on this topic as well and never got a really clear answer from Cisco.  To give you an example, on a network of say 5 active guest devices I was getting the same errors as you.  There is no way that I was getting many accounting messages because interim update was set to 0.  I think there is an integration timer and if more than x number of messages are seen in time y then ISE starts to panic and complain about it.  The values of x and y are probably not sensibly set by default.

 

Have a look at this thread over in the ISE Community sister forum

https://communities.cisco.com/thread/85221

 

Go to solution
N3t W0rK3r
Level 3
Level 3
In response to Arne Bier

‎01-22-2018 06:07 AM

Thank you Arne... very helpful.

Cheers.

0 Helpful

Go to solution
egodalisse
Level 1
Level 1
In response to Arne Bier

‎01-22-2018 11:54 PM

Hi,

 

We have the same issue here. ISE 2.1 complains about too many accounting messages from NAS for both the WLC's (version >8)  and the wired switches (3750x for instance running 15.0(2)SE6 or 15.0(2)SE7).

 

On the WLC settings we do have the interim update set to 0.

On switches we have the below accounting config :

 

aaa accounting update newinfo periodic 2880
aaa accounting dot1x default start-stop group ISE-RADIUS

 

Regarding switches I can observe using the debug radius accounting that these messages are sent every 4 or 5 sec for ports that authenticated the endpoints using MAB.

 

Any idea ?

 

regards

 

 

 

 

0 Helpful

Go to solution
PlanaRamirez
Level 1
Level 1
In response to Arne Bier

‎11-12-2018 01:08 AM

Thank you Arne for your advise,

While checking your solution I could not reach this thread due to some sort of mispelling in the link provided.

Looks like you have to follow this threat if apply:
https://community.cisco.com/thread/85221

that leads to:
https://community.cisco.com/t5/identity-services-engine-ise/ise-alarms-misconfigured-network-device-detected/m-p/3420973

Yours,
Alfred
0 Helpful
Customers Also Viewed These Support Documents