cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

3831
Views
0
Helpful
4
Replies
Highlighted
Beginner

ACS 5.1 RADIUS authentication / AD pw failure -- missing MAC

I've (finally) moved us away from our old ACS 3.2 box, using a local identity store, to a shiny new ACS 5.1 backed by Active Directory.

We're using the ACS primarily to authenticate our wireless users.

On our first day with the new ACS in production, I'm seeing a large number of "24408 User authentication against  Active Directory failed since user has entered the wrong password" errors in the RADIUS authentication logs.

I expected this, as users gradually enter their AD creds for authentication.

One of the things that would help our Tech Support folks would be to find out which users/machines are still using old, stored creds.

RADIUS authentication logs, however, are not giving us a MAC (or IP) address to go with the 24408 errors.

We *are* logging MACs for successful authentications as well as things like "12511 Unexpectedly received TLS alert  message; treating as a rejection by the client" errors.

Have I not config'd something on our WiSM?  Am I not supposed to be seeing MACs for 24408 errors?

TIA!

4 REPLIES 4
Highlighted
Beginner

Hello Mike,

   Take a look in the Calling-Station-ID Attribute...

   If this attribute is not showing in the Logs, try to put some conditional statement like calling-station-id=* to force this attribute be showed

   in the Radius Logs....

   My Best Regards,

     Andre Lomonaco

Highlighted

Apologies, Andre, but I'm not following you.

Specifically, I notice this issue in the canned "Authentications - RADIUS - Today" report on the standard dashboard.

If I dig into the Catalog and do a Query and Run on Radius Authentication, I get the same result (as expected).   I don't see a place to enter that type of conditional statement.

I'm a little puzzled why most, but not all, authentication error entries are not tagged with any identifying information.

The only devices using the ACS are a Wireless Services Module and a pair of 4402 Wireless LAN Controllers.

Highlighted

Hi Mike,

     Try include the Radius Condition in the Service Selection Rules

     Access Policies -> Access Services -> Service Selection Rules

     Customize

     Compound Condition

     RADIUS-IETF:Called-Station-ID

     I think after that you will see this parameter in the Radius Today Logging

Highlighted

ACS 5.x does not support wildcard certs.