04-28-2021 03:17 AM - edited 04-28-2021 03:23 AM
Hi Gentlemen
i've stack of "WS-C2960S-48LPS-L" running 15.2(2a)E1 & dot1x/mab AAA on the access-ports.
Everything is Ok except stack sends extra RADIUS accounting requests (thousands; every 5 seconds for each already authenticated endpoint; checked with tcpdump on the ISE).
Searching for bug didnt succeed . Can anyone help with it pls?
#show radius server-group radius-dot1x
Server group radius-dot1x
Sharecount = 1 sg_unconfigured = FALSE
Type = standard Memlocks = 1
Server(<IP1>:1812,1813) Transactions:
Authen: 196 Author: 0 Acct: 127678
Server_auto_test_enabled: TRUE
Keywrap enabled: FALSE
Server(<IP2>:1812,1813) Transactions:
Authen: 0 Author: 0 Acct: 338
Server_auto_test_enabled: TRUE
Keywrap enabled: FALSE
Relevant config:
aaa group server radius radius-dot1x
aaa authentication dot1x default group radius-dot1x
aaa authorization exec default group radius-dot1x if-authenticated
aaa authorization network default group radius-dot1x
aaa accounting update newinfo periodic 1440
aaa accounting dot1x default start-stop group radius-dot1x
aaa group server radius radius-dot1x
server name PSN1
server name PSN2
radius server PSN1
address ipv4 <IP1> auth-port 1812 acct-port 1813
automate-tester username <testuser> probe-on ignore-acct-port
key <ISEKEY>
radius server PSN2
address ipv4 <IP2> auth-port 1812 acct-port 1813
automate-tester username <testuser> probe-on ignore-acct-port
key <ISEKEY>
device-sensor accounting
device-sensor notify all-changes
Typical port:
interface GigabitEthernet2/0/40
description ACCESS PORTS
switchport access vlan <DATAVLAN>
switchport mode access
switchport voice vlan <VOICEVLAN>
ip access-group ACL-PreAuth in
authentication control-direction in
authentication event fail action next-method
authentication event server dead action authorize vlan <DATAVLAN>
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
snmp trap mac-notification change added
dot1x pae authenticator
dot1x timeout tx-period 5
spanning-tree portfast
end
04-28-2021 08:55 AM
is this only on this switch ? what device connected to this switch ( AP / Phone / ?)
worth checking this thread :
04-28-2021 09:46 AM
Hi Balaji
Yes, it's only switch misbehaving :0) Endpoints r phones & PCs. No flaps on the ports. No ip device tracking events . nothing suspected
i've read the treat u've referred to. not usable unfortunately :0(
04-28-2021 09:56 AM - edited 04-28-2021 09:56 AM
Not that i am aware any other bug reported at this stage, may be we need to see what made the device to think sending too many accounting ?
if this is pressing issue or get chance upgrade to latest IOS and check 15.2.2E9
04-28-2021 09:59 AM
"may be we need to see what made the device to think sending too many accounting ?" - any idea how?
"if this is pressing issue or get chance upgrade to latest IOS and check 15.2.2E9" - i'm thinking ~it. now i'm trying to open case with TAC as i dont get how to advance
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide