https://community.cisco.com/t5/network-access-control/monitor-authentication-failures/m-p/2075941#M141556 <HTML><HEAD></HEAD><BODY><P>Hello Kashish-</P><P></P><P>Both the switches and ISE should generate logs that you can use to alert you. Here is an example from both my lab switch and my lab ISE node:</P><P></P><P><STRONG style="text-decoration: underline; ">Switch:</STRONG></P><P>*Mar&nbsp; 8 22:41:18.318: <STRONG>%DOT1X-5-FAIL</STRONG>: Authentication failed for client (000c.2986.21a8) on Interface Gi0/5 AuditSessionID 0A01060A000000D228EA5AE3</P><P>*Mar&nbsp; 8 22:41:18.318: %<STRONG>AUTHMGR-7-RESULT</STRONG>: Authentication result 'no-response' from 'dot1x' for client (000c.2986.21a8) on Interface Gi0/5 AuditSessionID 0A01060A000000D228EA5AE3</P><P>*Mar&nbsp; 8 22:41:18.318: %<STRONG>AUTHMGR-7-FAILOVER</STRONG>: Failing over from 'dot1x' for client (000c.2986.21a8) on Interface Gi0/5 AuditSessionID 0A01060A000000D228EA5AE3</P><P>*Mar&nbsp; 8 22:41:18.318: %<STRONG>AUTHMGR-7-NOMOREMETHODS</STRONG>: Exhausted all authentication methods for client (000c.2986.21a8) on Interface Gi0/5 AuditSessionID 0A01060A000000D228EA5AE3</P><P>*Mar&nbsp; 8 22:41:18.318: %<STRONG>AUTHMGR-5-FAIL</STRONG>: Authorization failed or unapplied for client (000c.2986.21a8) on Interface Gi0/5 AuditSessionID 0A01060A000000D228EA5AE3</P><P></P><P><STRONG style="text-decoration: underline; ">ISE:</STRONG></P><P><STRONG style="text-decoration: underline; "><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/6/9/2/123296-1-3-2013%2011-09-47%20AM.jpg" class="jive-image" /><BR /></STRONG></P><P></P><P></P><P>I hope this helps!</P><P></P><P><EM>Thank you for rating!</EM></P></BODY></HTML> Thu, 03 Jan 2013 16:10:39 GMT nspasov 2013-01-03T16:10:39Z https://community.cisco.com/t5/network-access-control/monitor-authentication-failures/m-p/2075939#M141524 <P>We have deployed dot1x in our network. Now we want to keep track of all failed authentications before any user reports a problem.</P><P>I am wondering if there is an easy way to look at switch logs and&nbsp; find out any authentication that might have failed...I can look at logs on ISE as well, but not all logs can be seen on ISE, so I want to know if anyone has successfully parsed switch logs to know ANY authentication failure from switch perspective. Basically I want to develop a mechanism that keeps on monitoring switch logs for any dot1x auth fail event and alert me. Alerting should be based on switch logs.</P><P>Any ideas are welcome.</P><P></P><P>Thanks.</P> Mon, 11 Mar 2019 02:56:14 GMT https://community.cisco.com/t5/network-access-control/monitor-authentication-failures/m-p/2075939#M141524 Kashish_Patel 2019-03-11T02:56:14Z https://community.cisco.com/t5/network-access-control/monitor-authentication-failures/m-p/2075940#M141541 <HTML><HEAD></HEAD><BODY><P>Why don;t you syslog them somewhere then use something like Kiwi Syslog to filter the entries youare looking for?</P><P></P><P>Thanks</P><P>Chris</P></BODY></HTML> Thu, 03 Jan 2013 12:58:00 GMT https://community.cisco.com/t5/network-access-control/monitor-authentication-failures/m-p/2075940#M141541 Chris Illsley 2013-01-03T12:58:00Z https://community.cisco.com/t5/network-access-control/monitor-authentication-failures/m-p/2075941#M141556 <HTML><HEAD></HEAD><BODY><P>Hello Kashish-</P><P></P><P>Both the switches and ISE should generate logs that you can use to alert you. Here is an example from both my lab switch and my lab ISE node:</P><P></P><P><STRONG style="text-decoration: underline; ">Switch:</STRONG></P><P>*Mar&nbsp; 8 22:41:18.318: <STRONG>%DOT1X-5-FAIL</STRONG>: Authentication failed for client (000c.2986.21a8) on Interface Gi0/5 AuditSessionID 0A01060A000000D228EA5AE3</P><P>*Mar&nbsp; 8 22:41:18.318: %<STRONG>AUTHMGR-7-RESULT</STRONG>: Authentication result 'no-response' from 'dot1x' for client (000c.2986.21a8) on Interface Gi0/5 AuditSessionID 0A01060A000000D228EA5AE3</P><P>*Mar&nbsp; 8 22:41:18.318: %<STRONG>AUTHMGR-7-FAILOVER</STRONG>: Failing over from 'dot1x' for client (000c.2986.21a8) on Interface Gi0/5 AuditSessionID 0A01060A000000D228EA5AE3</P><P>*Mar&nbsp; 8 22:41:18.318: %<STRONG>AUTHMGR-7-NOMOREMETHODS</STRONG>: Exhausted all authentication methods for client (000c.2986.21a8) on Interface Gi0/5 AuditSessionID 0A01060A000000D228EA5AE3</P><P>*Mar&nbsp; 8 22:41:18.318: %<STRONG>AUTHMGR-5-FAIL</STRONG>: Authorization failed or unapplied for client (000c.2986.21a8) on Interface Gi0/5 AuditSessionID 0A01060A000000D228EA5AE3</P><P></P><P><STRONG style="text-decoration: underline; ">ISE:</STRONG></P><P><STRONG style="text-decoration: underline; "><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/6/9/2/123296-1-3-2013%2011-09-47%20AM.jpg" class="jive-image" /><BR /></STRONG></P><P></P><P></P><P>I hope this helps!</P><P></P><P><EM>Thank you for rating!</EM></P></BODY></HTML> Thu, 03 Jan 2013 16:10:39 GMT https://community.cisco.com/t5/network-access-control/monitor-authentication-failures/m-p/2075941#M141556 nspasov 2013-01-03T16:10:39Z https://community.cisco.com/t5/network-access-control/monitor-authentication-failures/m-p/2075942#M141569 <HTML><HEAD></HEAD><BODY><P>Kashish,<BR /><BR />You should be able to spot check the operations dashboard, or run a radius authentication report and the set the status to failed and then run the report.<BR /><BR />Thanks<BR /><BR />Sent from Cisco Technical Support iPad App</P></BODY></HTML> Thu, 03 Jan 2013 17:31:21 GMT https://community.cisco.com/t5/network-access-control/monitor-authentication-failures/m-p/2075942#M141569 Tarik Admani 2013-01-03T17:31:21Z