Switch login attempt
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-28-2023 03:49 AM
Hi
When we check the authorization policy on ISE which is resposible for switch logins, we could se a log like this one:
Why the username is Id;? Where does this (Id;) come from?
What does "11014 RADIUS packet contains invalid attribute(s) " mean? We don't have any issue on our Radius server ISE!
If i try on a switch to login with username Id; the log in ISE will be like this one:
Is there someone trying to login to our switch or what is the case?
- Labels:
-
AAA
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-28-2023 04:04 AM
Hi
It could be some tools trying to access the switch. Do you have monitoring tools? Maybe DNAC doing discovery?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-28-2023 04:09 AM
I have a tool that logs in all switches and make backups. But that tool uses my AD account and nothing else.
I can see logs from the tool in ISE which are green and accept
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-28-2023 04:15 AM
It seems something else is trying and failing. Take a look on the switch logs, which probably will not be helpful but worth it to try.
You can also try to ping the IP 10.34.0.74 and track it down using ARP.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-28-2023 04:22 AM
10.340.74 is my laptop, in the second image i did a test to login with username Id; to see what would the log looks like. And i looks like the second image.
I mean even if i try to use Id; as a username the log in ISE does not comeback with Id; username but with INVALID;INVALID as you can see in the scond image
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-28-2023 04:28 AM
If you get the real fail log, which IP address will be there as Endpoint ID?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-28-2023 04:34 AM
That is the problem there is nothing in the log about Endpoint!! You can check the log:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-28-2023 04:44 AM
Another alternative would be use sniffer on the switch side.
span one port to you laptop, run wireshark and try do dig into the logs when the ISE notify the login attempt
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-28-2023 04:54 AM
There were 3 attmepts yesterday, i will keep track and see if it happens again
"span one port to you laptop, run wireshark and try do dig into the logs when the ISE notify the login attempt" maybe not happen in days who knows?!
Any other suggestion?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-28-2023 05:00 AM
If you can keep the log running in a computer for this period you can use filter on the Wireshark. .
If you filter on the port 1812 there will be just a few logs during the day. At least on the wireshark you will se the orign IP address.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-28-2023 04:32 AM
@Moudar you can force Cisco ISE to display the invalid usernames. To do this, check the Disclose Invalid Usernames check box under Administration > System > Settings > Security Settings
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-28-2023 04:37 AM
Should it restart the whole machine?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-28-2023 04:43 AM
What is under INVALID is not important just in this case! the important is to know what is that Id; user?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-28-2023 04:59 AM
@Moudar why are you changing the SHA1 cipher settings? thats not the setting that was suggested to change.
Disclosing the invalid username would reveal the user identity in the logs, which might provide a clue. Disclosing the invalid username (as per above suggestion) will not require restarting services.
What type of device is the NAD - 10.128.2.8?
You can take a packet capture (tcpdump) on ISE, setup a filter on 10.128.2.8 and determine what attributes are being sent.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-28-2023 05:03 AM
When i try to activate "Disclosing the invalid username" click on Save then that about SHA1 came after!
10.128.2.8 is a router
Can you write the syntax of tcpdump on ISE?
