Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
586
Views
0
Helpful
4
Replies

Failed attemps are not logged (802.1x)

o-ziltener
Level 1
Level 1

‎07-22-2005 01:41 PM - edited ‎03-10-2019 02:14 PM

Hello

ACS 3.3.2 has a mapping to a 2003 MS AD domain member machine. The users are all in the AD. Now when a valid user but with a wrong password tries to login, then the failure is just seen in the 2003 MS security event log and not in the ACS failed attempts. I this a normal behavoir?

best regards

Oliver

Labels:
0 Helpful
4 Replies 4

didyap
Level 6
Level 6

‎07-28-2005 08:52 AM

Cisco Secure ACS Solution Engine includes a feature called Support, found in the System Configuration section of the HTML Interface. When you select the Run Support Now option on the Support page of an appliance that is configured to use a remote agent for any service, the appliance instructs the remote agent to collect copies of its diagnostic logs. The Windows agent produces a cabinet file containing the log files. The Solaris agent produces a tar file containing the log files.

0 Helpful

o-ziltener
Level 1
Level 1
In response to didyap

‎08-15-2005 04:17 AM

Hello

unfortunately this option is possible with the windows ACS. I think, in the past with older version of the ACS or with Win2000 was this never an issue!

What do you think?

best regards

Oliver

0 Helpful

jafrazie
Cisco Employee
Cisco Employee
In response to o-ziltener

‎08-15-2005 06:38 AM

Actually, this is normal behavior WRT how the MSFT supplicant currently operates. Assuming the machine has 802.1x authenticated itself, and assuming the machine is then subsequently and successfully attached to a domain, and assuming you have the supplicant configured to 802.1x authenticate a user ...

Then the experience you will get is Kerberos failing on a type-o'd password. So, it's similar to the experience you get today without 802.1x.

Does this answer your question?

p.s. You can verify this by checking the switch as well. If you don't see the port in a HELD state at the point in time, that means AAA didn't tell it to fail the attempt via RADIUS-Reject packet, hence AAA didn't send one, hence it won't be in a failed-auth log since from the AAA perspective, nothing really happened in this specific scenario.

0 Helpful

o-ziltener
Level 1
Level 1
In response to jafrazie

‎08-15-2005 10:42 AM

Actually not...

What do you mean with WRT and MSFT exactly?

Why do you point to kerberos?

best regards

Oliver

0 Helpful
Customers Also Viewed These Support Documents