cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

523
Views
0
Helpful
3
Replies
Malcolm Beaulieu
Beginner

Find occurances of ACS log event during authentication (specifically 24423)

Hello,

We are currently running ACS 5.4 for 802.1x authentication and everything is functioning well.  We authenticate by computer & user, but currently machine authentication is not enforced for user authentication.  This results in the occasional situation where someone with an 802.1x enabled device can still gain access to the network by entering their user credentials when prompted for authentication.

I realize that we can set "was machine authenticated= true" in the policy to close this hole, but before we do I would like to find out how often this is happening, and by whom.  There is an event ID when this happens (24423  ACS has not been able to confirm previous successful machine authentication for user in Active Directory) but I can't seem to be able to search for just this ID using the monitoring & reports viewer.

Is there a way to search the ACS logs for the event ID so I can get more information on how often this is occuring and by whom?  Or is there some other way to find how often this is happening?

Thanks!

3 REPLIES 3
Naveen Kumar
Enthusiast

MAR only occurs when the machine first boots up. During boot time the machine sends its credentials to ACS and ACS retains them based on the MAR timer that you have set. Try rebooting the machine and see if that error message goes away.

 

Thanks for your response.  My issue isn't the reason why this is error is occuring, I understand why it is, and how to resolve it.  

The answer that I am looking for is how do I find the frequency that this entry appears in the ACS logs.  Ultimately I want to determine the associated user and how often they are authenticating with just their user account.  I can't seem to be able to search on this log ID (24423) in the ACS log & reports viewer though.  Is there a way to search against the raw database for this information?

I hope this clarifies the information that I am looking for.  Thanks for any assistance that you can provide.

Have you tried to run a query under Monitoring & Reports > Reports > Catalog > Failure Reason.
there are 3 options.
Authentication_Failure_Code_Lookup
Failure_Reason_Authentication_Summary
 
Let me know if that helps.
 
Regards,
Jatin Katyal
*Do rate helpful posts*
~Jatin
Content for Community-Ad