Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
958
Views
0
Helpful
3
Replies

Find occurances of ACS log event during authentication (specifically 24423)

Malcolm Beaulieu
Level 1
Level 1

‎03-06-2014 06:53 AM - edited ‎03-10-2019 09:30 PM

Hello,

We are currently running ACS 5.4 for 802.1x authentication and everything is functioning well.  We authenticate by computer & user, but currently machine authentication is not enforced for user authentication.  This results in the occasional situation where someone with an 802.1x enabled device can still gain access to the network by entering their user credentials when prompted for authentication.

I realize that we can set "was machine authenticated= true" in the policy to close this hole, but before we do I would like to find out how often this is happening, and by whom.  There is an event ID when this happens (24423  ACS has not been able to confirm previous successful machine authentication for user in Active Directory) but I can't seem to be able to search for just this ID using the monitoring & reports viewer.

Is there a way to search the ACS logs for the event ID so I can get more information on how often this is occuring and by whom?  Or is there some other way to find how often this is happening?

Thanks!

Labels:
0 Helpful
3 Replies 3

Naveen Kumar
Level 4
Level 4

‎03-12-2014 04:34 AM

MAR only occurs when the machine first boots up. During boot time the machine sends its credentials to ACS and ACS retains them based on the MAR timer that you have set. Try rebooting the machine and see if that error message goes away.

0 Helpful

Malcolm Beaulieu
Level 1
Level 1
In response to Naveen Kumar

‎03-18-2014 09:43 PM

 

Thanks for your response.  My issue isn't the reason why this is error is occuring, I understand why it is, and how to resolve it.  

The answer that I am looking for is how do I find the frequency that this entry appears in the ACS logs.  Ultimately I want to determine the associated user and how often they are authenticating with just their user account.  I can't seem to be able to search on this log ID (24423) in the ACS log & reports viewer though.  Is there a way to search against the raw database for this information?

I hope this clarifies the information that I am looking for.  Thanks for any assistance that you can provide.

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to Malcolm Beaulieu

‎03-18-2014 10:40 PM

Have you tried to run a query under Monitoring & Reports > Reports > Catalog > Failure Reason.
there are 3 options.
Authentication_Failure_Code_Lookup
Failure_Reason_Authentication_Summary
 
Let me know if that helps.
 
Regards,
Jatin Katyal
*Do rate helpful posts*
~Jatin
0 Helpful
Customers Also Viewed These Support Documents