Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2149
Views
10
Helpful
6
Replies

ACS / Tacacs and Failed Attempts

soldnermichael
Level 1
Level 1

‎03-16-2009 09:23 AM - edited ‎02-21-2020 10:23 AM

In our aaa implementation we use tacacs with the local db as backup. Well, I'm trying to harden security. I know IOS has this nice little command:

“login on-failure log every x”

This would be great so we could at least see the syslog message and have an idea if someone is trying to get into a piece of our equipment without having to try and watch the "Failed Attemps" report in ACS - but given we are using Tacacs, the only way this will throw a message is if ACS isn't available.

I'd like to know if there is a way for ACS to give us this information. Or, to get syslog messages to get thrown.

Thanks!

Labels:
0 Helpful
6 Replies 6

soldnermichael
Level 1
Level 1
In response to Jesse Wiener

‎03-18-2009 09:19 AM

Yep - I was just hoping for some more granularity since all of our wireless devices enterprise-wide authenticate against ACS. I only want to know about the failed tacacs attempts.

0 Helpful

Jesse Wiener
Level 4
Level 4
In response to soldnermichael

‎03-18-2009 09:38 AM

So you only want to see syslog message for tacacs failures not for wireless auth failures. I am not sure how you would do that from ACS.

If it were me I would use a splunk syslog server and send all of the failures to it. Then in splunk I would setup a filter to only display the NAS-IP-Addresses that I was interested in.

Or if I had MARS I would setup a rule in that to look for login failures on those devices to trigger a notification.

What is your syslog server now?

soldnermichael
Level 1
Level 1
In response to Jesse Wiener

‎03-18-2009 09:45 AM

We currently use Orion.

I guess I was just hoping to keep it within that so we'd see the syslog come through, but using Splunk isn't a bad idea...

Jesse Wiener
Level 4
Level 4
In response to soldnermichael

‎03-18-2009 10:13 AM

I hear ya.

I know that acs 5 is going to be a lot more policy based on how users authenticate and what policies get applied depending on their location, etc... Hopefully the logging will offer some of the same granularity.

-Jesse

0 Helpful

soldnermichael
Level 1
Level 1
In response to Jesse Wiener

‎03-18-2009 10:27 AM

Guess I'm stuck then.

0 Helpful
Customers Also Viewed These Support Documents