topic Re: ACS / Tacacs and Failed Attempts in Network Access Control

ACS / Tacacs and Failed Attempts

soldnermichael — Fri, 21 Feb 2020 18:23:07 GMT

In our aaa implementation we use tacacs with the local db as backup. Well, I'm trying to harden security. I know IOS has this nice little command:

â€œlogin on-failure log every xâ€

This would be great so we could at least see the syslog message and have an idea if someone is trying to get into a piece of our equipment without having to try and watch the "Failed Attemps" report in ACS - but given we are using Tacacs, the only way this will throw a message is if ACS isn't available.

I'd like to know if there is a way for ACS to give us this information. Or, to get syslog messages to get thrown.

Thanks!

Re: ACS / Tacacs and Failed Attempts

Jesse Wiener — Wed, 18 Mar 2009 16:04:37 GMT

You can have acs push out to your syslog.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/configuration/guide/syslog.html

Re: ACS / Tacacs and Failed Attempts

soldnermichael — Wed, 18 Mar 2009 16:19:36 GMT

Yep - I was just hoping for some more granularity since all of our wireless devices enterprise-wide authenticate against ACS. I only want to know about the failed tacacs attempts.

Re: ACS / Tacacs and Failed Attempts

Jesse Wiener — Wed, 18 Mar 2009 16:38:32 GMT

So you only want to see syslog message for tacacs failures not for wireless auth failures. I am not sure how you would do that from ACS.

If it were me I would use a splunk syslog server and send all of the failures to it. Then in splunk I would setup a filter to only display the NAS-IP-Addresses that I was interested in.

Or if I had MARS I would setup a rule in that to look for login failures on those devices to trigger a notification.

What is your syslog server now?

Re: ACS / Tacacs and Failed Attempts

soldnermichael — Wed, 18 Mar 2009 16:45:41 GMT

We currently use Orion.

I guess I was just hoping to keep it within that so we'd see the syslog come through, but using Splunk isn't a bad idea...

Re: ACS / Tacacs and Failed Attempts

Jesse Wiener — Wed, 18 Mar 2009 17:13:48 GMT

I hear ya.

I know that acs 5 is going to be a lot more policy based on how users authenticate and what policies get applied depending on their location, etc... Hopefully the logging will offer some of the same granularity.

-Jesse

Re: ACS / Tacacs and Failed Attempts

soldnermichael — Wed, 18 Mar 2009 17:27:40 GMT

Guess I'm stuck then.