Switch login attempt

Moudar · ‎06-28-2023

Hi

When we check the authorization policy on ISE which is resposible for switch logins, we could se a log like this one:

Why the username is Id;? Where does this (Id;) come from?

What does "11014 RADIUS packet contains invalid attribute(s) " mean? We don't have any issue on our Radius server ISE!

If i try on a switch to login with username Id; the log in ISE will be like this one:

Is there someone trying to login to our switch or what is the case?

Flavio Miranda · ‎06-28-2023

Hi

It could be some tools trying to access the switch. Do you have monitoring tools? Maybe DNAC doing discovery?

Moudar · ‎06-28-2023

I have a tool that logs in all switches and make backups. But that tool uses my AD account and nothing else.

I can see logs from the tool in ISE which are green and accept

Flavio Miranda · ‎06-28-2023

It seems something else is trying and failing. Take a look on the switch logs, which probably will not be helpful but worth it to try.

You can also try to ping the IP 10.34.0.74 and track it down using ARP.

Moudar · ‎06-28-2023

10.340.74 is my laptop, in the second image i did a test to login with username Id; to see what would the log looks like. And i looks like the second image.

I mean even if i try to use Id; as a username the log in ISE does not comeback with Id; username but with INVALID;INVALID as you can see in the scond image

Flavio Miranda · ‎06-28-2023

If you get the real fail log, which IP address will be there as Endpoint ID?

Moudar · ‎06-28-2023

That is the problem there is nothing in the log about Endpoint!! You can check the log:

Flavio Miranda · ‎06-28-2023

Another alternative would be use sniffer on the switch side.

span one port to you laptop, run wireshark and try do dig into the logs when the ISE notify the login attempt

Moudar · ‎06-28-2023

There were 3 attmepts yesterday, i will keep track and see if it happens again

"span one port to you laptop, run wireshark and try do dig into the logs when the ISE notify the login attempt" maybe not happen in days who knows?!

Any other suggestion?

Flavio Miranda · ‎06-28-2023

If you can keep the log running in a computer for this period you can use filter on the Wireshark. .

If you filter on the port 1812 there will be just a few logs during the day. At least on the wireshark you will se the orign IP address.

Rob Ingram · ‎06-28-2023

@Moudar you can force Cisco ISE to display the invalid usernames. To do this, check the Disclose Invalid Usernames check box under Administration > System > Settings > Security Settings

Moudar · ‎06-28-2023

Should it restart the whole machine?

Moudar · ‎06-28-2023

What is under INVALID is not important just in this case! the important is to know what is that Id; user?

Rob Ingram · ‎06-28-2023

@Moudar why are you changing the SHA1 cipher settings? thats not the setting that was suggested to change.

Disclosing the invalid username would reveal the user identity in the logs, which might provide a clue. Disclosing the invalid username (as per above suggestion) will not require restarting services.

What type of device is the NAD - 10.128.2.8?

You can take a packet capture (tcpdump) on ISE, setup a filter on 10.128.2.8 and determine what attributes are being sent.

Moudar · ‎06-28-2023

When i try to activate "Disclosing the invalid username" click on Save then that about SHA1 came after!

10.128.2.8 is a router

Can you write the syntax of tcpdump on ISE?