cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
586
Views
0
Helpful
4
Replies

Failed attemps are not logged (802.1x)

o-ziltener
Level 1
Level 1

Hello

ACS 3.3.2 has a mapping to a 2003 MS AD domain member machine. The users are all in the AD. Now when a valid user but with a wrong password tries to login, then the failure is just seen in the 2003 MS security event log and not in the ACS failed attempts. I this a normal behavoir?

best regards

Oliver

4 Replies 4

didyap
Level 6
Level 6

Cisco Secure ACS Solution Engine includes a feature called Support, found in the System Configuration section of the HTML Interface. When you select the Run Support Now option on the Support page of an appliance that is configured to use a remote agent for any service, the appliance instructs the remote agent to collect copies of its diagnostic logs. The Windows agent produces a cabinet file containing the log files. The Solaris agent produces a tar file containing the log files.

Hello

unfortunately this option is possible with the windows ACS. I think, in the past with older version of the ACS or with Win2000 was this never an issue!

What do you think?

best regards

Oliver

Actually, this is normal behavior WRT how the MSFT supplicant currently operates. Assuming the machine has 802.1x authenticated itself, and assuming the machine is then subsequently and successfully attached to a domain, and assuming you have the supplicant configured to 802.1x authenticate a user ...

Then the experience you will get is Kerberos failing on a type-o'd password. So, it's similar to the experience you get today without 802.1x.

Does this answer your question?

p.s. You can verify this by checking the switch as well. If you don't see the port in a HELD state at the point in time, that means AAA didn't tell it to fail the attempt via RADIUS-Reject packet, hence AAA didn't send one, hence it won't be in a failed-auth log since from the AAA perspective, nothing really happened in this specific scenario.

Actually not...

What do you mean with WRT and MSFT exactly?

Why do you point to kerberos?

best regards

Oliver