cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1069
Views
0
Helpful
18
Replies

Switch login attempt

Moudar
VIP
VIP

Hi

When we check the authorization policy on ISE which is resposible for switch logins, we could se a log like this one:

ise-id.JPG

Why the username is Id;? Where does this (Id;) come from?

What does "11014 RADIUS packet contains invalid attribute(s) " mean? We don't have any issue on our Radius server ISE!

If i try on a switch to login with username Id; the log in ISE will be like this one:

ise-id.JPG

Is there someone trying to login to our switch or what is the case?

18 Replies 18

Hi

 It could be some tools trying to access the switch. Do you have monitoring tools? Maybe DNAC doing discovery?

I have a tool that logs in all switches and make backups. But that tool uses my AD account and nothing else.

I can see logs from the tool in ISE which are green and accept

It seems something else is trying and failing.  Take a look on the switch logs, which probably will not be helpful but worth it to try.

 You can also try to ping the IP 10.34.0.74 and track it down using ARP.

10.340.74 is my laptop, in the second image i did a test to login with username Id; to see what would the log looks like. And i looks like the second image.

I mean even if i try to use Id; as a username the log in ISE does not comeback with Id; username but with INVALID;INVALID as you can see in the scond image

If you get the real fail log, which IP address will be there as Endpoint ID?

That is the problem there is nothing in the log about Endpoint!! You can check the log:

log1.JPG

log2.JPG

Another alternative would be use sniffer on the switch side.

span one port to you laptop, run wireshark and try do dig into the logs when the ISE notify the login attempt

There were 3 attmepts yesterday, i will keep track and see if it happens again

"span one port to you laptop, run wireshark and try do dig into the logs when the ISE notify the login attempt" maybe not happen in days who knows?!

Any other suggestion?

 If you can keep the log running in a computer for this period you can use filter on the Wireshark. .

If you filter on the port 1812 there will be just a few logs during the day. At least on the wireshark you will se the orign IP address.

@Moudar you can force Cisco ISE to display the invalid usernames. To do this, check the Disclose Invalid Usernames check box under Administration > System > Settings > Security Settings

warning.JPG

Should it restart the whole machine?

What is under INVALID is not important just in this case! the important is to know what is that Id; user?

@Moudar why are you changing the SHA1 cipher settings? thats not the setting that was suggested to change.

Disclosing the invalid username would reveal the user identity in the logs, which might provide a clue. Disclosing the invalid username (as per above suggestion) will not require restarting services.

What type of device is the NAD - 10.128.2.8? 

You can take a packet capture (tcpdump) on ISE, setup a filter on 10.128.2.8 and determine what attributes are being sent.

When i try to activate "Disclosing the invalid username" click on Save then that about SHA1 came after!

10.128.2.8 is a router

Can you write the syntax of tcpdump on ISE?