https://community.cisco.com/t5/network-access-control/failed-attemps-are-not-logged-802-1x/m-p/407228#M428783 <P>Hello </P><P>ACS 3.3.2 has a mapping to a 2003 MS AD domain member machine. The users are all in the AD. Now when a valid user but with a wrong password tries to login, then the failure is just seen in the 2003 MS security event log and not in the ACS failed attempts. I this a normal behavoir?</P><P></P><P>best regards</P><P>Oliver</P> Sun, 10 Mar 2019 21:14:27 GMT o-ziltener 2019-03-10T21:14:27Z https://community.cisco.com/t5/network-access-control/failed-attemps-are-not-logged-802-1x/m-p/407228#M428783 <P>Hello </P><P>ACS 3.3.2 has a mapping to a 2003 MS AD domain member machine. The users are all in the AD. Now when a valid user but with a wrong password tries to login, then the failure is just seen in the 2003 MS security event log and not in the ACS failed attempts. I this a normal behavoir?</P><P></P><P>best regards</P><P>Oliver</P> Sun, 10 Mar 2019 21:14:27 GMT https://community.cisco.com/t5/network-access-control/failed-attemps-are-not-logged-802-1x/m-p/407228#M428783 o-ziltener 2019-03-10T21:14:27Z https://community.cisco.com/t5/network-access-control/failed-attemps-are-not-logged-802-1x/m-p/407229#M428786 <HTML><HEAD></HEAD><BODY><P>Cisco Secure ACS Solution Engine includes a feature called Support, found in the System Configuration section of the HTML Interface. When you select the Run Support Now option on the Support page of an appliance that is configured to use a remote agent for any service, the appliance instructs the remote agent to collect copies of its diagnostic logs. The Windows agent produces a cabinet file containing the log files. The Solaris agent produces a tar file containing the log files.</P></BODY></HTML> Thu, 28 Jul 2005 15:52:11 GMT https://community.cisco.com/t5/network-access-control/failed-attemps-are-not-logged-802-1x/m-p/407229#M428786 didyap 2005-07-28T15:52:11Z https://community.cisco.com/t5/network-access-control/failed-attemps-are-not-logged-802-1x/m-p/407230#M428788 <HTML><HEAD></HEAD><BODY><P>Hello</P><P>unfortunately this option is possible with the windows ACS. I think, in the past with older version of the ACS or with Win2000 was this never an issue!</P><P>What do you think?</P><P></P><P>best regards</P><P>Oliver</P></BODY></HTML> Mon, 15 Aug 2005 11:17:19 GMT https://community.cisco.com/t5/network-access-control/failed-attemps-are-not-logged-802-1x/m-p/407230#M428788 o-ziltener 2005-08-15T11:17:19Z https://community.cisco.com/t5/network-access-control/failed-attemps-are-not-logged-802-1x/m-p/407231#M428790 <HTML><HEAD></HEAD><BODY><P>Actually, this is normal behavior WRT how the MSFT supplicant currently operates. Assuming the machine has 802.1x authenticated itself, and assuming the machine is then subsequently and successfully attached to a domain, and assuming you have the supplicant configured to 802.1x authenticate a user ...</P><P></P><P>Then the experience you will get is Kerberos failing on a type-o'd password. So, it's similar to the experience you get today without 802.1x.</P><P></P><P>Does this answer your question?</P><P>p.s. You can verify this by checking the switch as well. If you don't see the port in a HELD state at the point in time, that means AAA didn't tell it to fail the attempt via RADIUS-Reject packet, hence AAA didn't send one, hence it won't be in a failed-auth log since from the AAA perspective, nothing really happened in this specific scenario. </P></BODY></HTML> Mon, 15 Aug 2005 13:38:40 GMT https://community.cisco.com/t5/network-access-control/failed-attemps-are-not-logged-802-1x/m-p/407231#M428790 jafrazie 2005-08-15T13:38:40Z https://community.cisco.com/t5/network-access-control/failed-attemps-are-not-logged-802-1x/m-p/407232#M428793 <HTML><HEAD></HEAD><BODY><P>Actually not...</P><P>What do you mean with WRT and MSFT exactly?</P><P>Why do you point to kerberos?</P><P></P><P>best regards</P><P>Oliver</P><P></P><P></P></BODY></HTML> Mon, 15 Aug 2005 17:42:35 GMT https://community.cisco.com/t5/network-access-control/failed-attemps-are-not-logged-802-1x/m-p/407232#M428793 o-ziltener 2005-08-15T17:42:35Z