topic Re: Switch login attempt in Network Access Control

Switch login attempt

Moudar — Wed, 28 Jun 2023 10:49:02 GMT

When we check the authorization policy on ISE which is resposible for switch logins, we could se a log like this one:

Why the username is Id;? Where does this (Id;) come from?

What does "11014 RADIUS packet contains invalid attribute(s) " mean? We don't have any issue on our Radius server ISE!

If i try on a switch to login with username Id; the log in ISE will be like this one:

Is there someone trying to login to our switch or what is the case?

Re: Switch login attempt

Flavio Miranda — Wed, 28 Jun 2023 11:04:07 GMT

It could be some tools trying to access the switch. Do you have monitoring tools? Maybe DNAC doing discovery?

Re: Switch login attempt

Moudar — Wed, 28 Jun 2023 11:09:33 GMT

I have a tool that logs in all switches and make backups. But that tool uses my AD account and nothing else.

I can see logs from the tool in ISE which are green and accept

Re: Switch login attempt

Flavio Miranda — Wed, 28 Jun 2023 11:15:13 GMT

It seems something else is trying and failing. Take a look on the switch logs, which probably will not be helpful but worth it to try.

You can also try to ping the IP 10.34.0.74 and track it down using ARP.

Re: Switch login attempt

Moudar — Wed, 28 Jun 2023 11:22:12 GMT

10.340.74 is my laptop, in the second image i did a test to login with username Id; to see what would the log looks like. And i looks like the second image.

I mean even if i try to use Id; as a username the log in ISE does not comeback with Id; username but with INVALID;INVALID as you can see in the scond image

Re: Switch login attempt

Flavio Miranda — Wed, 28 Jun 2023 11:28:19 GMT

If you get the real fail log, which IP address will be there as Endpoint ID?

Re: Switch login attempt

Rob Ingram — Wed, 28 Jun 2023 11:32:26 GMT

@Moudar you can force Cisco ISE to display the invalid usernames. To do this, check the Disclose Invalid Usernames check box under Administration > System > Settings > Security Settings

Re: Switch login attempt

Moudar — Wed, 28 Jun 2023 11:34:43 GMT

That is the problem there is nothing in the log about Endpoint!! You can check the log:

Re: Switch login attempt

Moudar — Wed, 28 Jun 2023 11:37:55 GMT

Should it restart the whole machine?

Re: Switch login attempt

Moudar — Wed, 28 Jun 2023 11:43:10 GMT

What is under INVALID is not important just in this case! the important is to know what is that Id; user?

Re: Switch login attempt

Flavio Miranda — Wed, 28 Jun 2023 11:44:13 GMT

Another alternative would be use sniffer on the switch side.

span one port to you laptop, run wireshark and try do dig into the logs when the ISE notify the login attempt

Re: Switch login attempt

Moudar — Wed, 28 Jun 2023 11:54:06 GMT

There were 3 attmepts yesterday, i will keep track and see if it happens again

"span one port to you laptop, run wireshark and try do dig into the logs when the ISE notify the login attempt" maybe not happen in days who knows?!

Any other suggestion?

Re: Switch login attempt

Rob Ingram — Wed, 28 Jun 2023 11:59:10 GMT

@Moudar why are you changing the SHA1 cipher settings? thats not the setting that was suggested to change.

Disclosing the invalid username would reveal the user identity in the logs, which might provide a clue. Disclosing the invalid username (as per above suggestion) will not require restarting services.

What type of device is the NAD - 10.128.2.8?

You can take a packet capture (tcpdump) on ISE, setup a filter on 10.128.2.8 and determine what attributes are being sent.

Re: Switch login attempt

Flavio Miranda — Wed, 28 Jun 2023 12:00:54 GMT

If you can keep the log running in a computer for this period you can use filter on the Wireshark. .

If you filter on the port 1812 there will be just a few logs during the day. At least on the wireshark you will se the orign IP address.

Re: Switch login attempt

Moudar — Wed, 28 Jun 2023 12:03:26 GMT

When i try to activate "Disclosing the invalid username" click on Save then that about SHA1 came after!

10.128.2.8 is a router

Can you write the syntax of tcpdump on ISE?

Re: Switch login attempt

Rob Ingram — Wed, 28 Jun 2023 12:06:05 GMT

@Moudar

ip host 10.128.2.8

Re: Switch login attempt

Moudar — Thu, 29 Jun 2023 12:16:33 GMT

Now I maybe know the problem source.

It was Prime, I had changed my AD password. On Prime I have one test switch that used my old password.

Prime tried to login to the switch all the time with wrong password and everytime it did that, the user log on ISE was Id;

Not sure 100% yet, will be back if I discover something else.

Re: Switch login attempt

Flavio Miranda — Thu, 29 Jun 2023 12:35:27 GMT

Classic problem. Saw many times.

It is a good idea a user and password for prime and any monitoring tool.

Re: Switch login attempt

Minnesotakid — Mon, 15 Jan 2024 18:08:57 GMT

I was running into this error on a 2960cx switch for some of my admins. Most of us could login, but one or two couldn't and ISE was giving us this error.

We upgraded the firmware of the switch to 15.2 7(E9) and the users can now successfully login.

Hope this helps!