Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2035
Views
0
Helpful
3
Replies

Monitor authentication failures

Kashish_Patel
Level 2
Level 2

‎01-03-2013 03:58 AM - edited ‎03-10-2019 07:56 PM

We have deployed dot1x in our network. Now we want to keep track of all failed authentications before any user reports a problem.

I am wondering if there is an easy way to look at switch logs and  find out any authentication that might have failed...I can look at logs on ISE as well, but not all logs can be seen on ISE, so I want to know if anyone has successfully parsed switch logs to know ANY authentication failure from switch perspective. Basically I want to develop a mechanism that keeps on monitoring switch logs for any dot1x auth fail event and alert me. Alerting should be based on switch logs.

Any ideas are welcome.

Thanks.

Labels:
0 Helpful
3 Replies 3

Chris Illsley
Level 3
Level 3

‎01-03-2013 04:58 AM

Why don;t you syslog them somewhere then use something like Kiwi Syslog to filter the entries youare looking for?

Thanks

Chris

0 Helpful

nspasov
Cisco Employee
Cisco Employee

‎01-03-2013 08:10 AM

Hello Kashish-

Both the switches and ISE should generate logs that you can use to alert you. Here is an example from both my lab switch and my lab ISE node:

Switch:

*Mar  8 22:41:18.318: %DOT1X-5-FAIL: Authentication failed for client (000c.2986.21a8) on Interface Gi0/5 AuditSessionID 0A01060A000000D228EA5AE3

*Mar  8 22:41:18.318: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (000c.2986.21a8) on Interface Gi0/5 AuditSessionID 0A01060A000000D228EA5AE3

*Mar  8 22:41:18.318: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (000c.2986.21a8) on Interface Gi0/5 AuditSessionID 0A01060A000000D228EA5AE3

*Mar  8 22:41:18.318: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (000c.2986.21a8) on Interface Gi0/5 AuditSessionID 0A01060A000000D228EA5AE3

*Mar  8 22:41:18.318: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (000c.2986.21a8) on Interface Gi0/5 AuditSessionID 0A01060A000000D228EA5AE3

ISE:


I hope this helps!

Thank you for rating!

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to nspasov

‎01-03-2013 09:31 AM

Kashish,

You should be able to spot check the operations dashboard, or run a radius authentication report and the set the status to failed and then run the report.

Thanks

Sent from Cisco Technical Support iPad App

0 Helpful
Customers Also Viewed These Support Documents