Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1685
Views
4
Helpful
3
Replies

Integrate CS-ACS and CS-MARS

Eugen Bitca
Level 1
Level 1

‎06-13-2011 03:59 AM

Hello,

CS-ACS (CiscoSecure ACS v4.2) was configured to send "Failed Attempts" logs to CS-MARS (Appliance Product Version: 6.0.2).

ACS was added to MARS as a "Cisco Secure ACS SE 4.x" appliance.

TCPDUMP at the MARS CLI shows that MARS is receiving syslog traffic on port 514 from the ACS, but when I submit an inline query to determine whether events are being received from the Cisco Secure ACS, it shows empty report.

Thanks a lot

Labels:
0 Helpful
3 Replies 3

antonio.barrantes
Level 1
Level 1

‎06-13-2011 04:25 AM

Hi Eugen,

Could you try a query in real time with the option "Event raw messages"?

Is possible that doesn´t match correctly.

Best Regards

Antonio

Eugen Bitca
Level 1
Level 1
In response to antonio.barrantes

‎06-13-2011 04:53 AM

Hi Antonio,

A real time query returns:

Event Type: Secure ACS Auth failed: password invalid

Reporting Device: ACS42

RAW Message:

<38>Jun 13 11:45:23 10.44.1.4 CisACS_02_FailedAuth nas0259t 1 0 Message-Type=Authen failed,User-Name=eugen,NAS-IP-Address=10.44.1.18,Authen-Failure-Code=ACS password invalid,Caller-ID=172.22.5.10,NAS-Port=tty1,Group-Name=Group 1 (NetAdmin - Full),

10.44.1.4 - ACS IP address

--------------------------------------------

I made rulles that match "Secure ACS Auth failed" Event Type, so MARS will announce when there are attempts with invalid password or unknown user.

Thank you.

0 Helpful

antonio.barrantes
Level 1
Level 1
In response to Eugen Bitca

‎06-13-2011 06:03 AM

You are welcome Eugen.

Regards

0 Helpful
Customers Also Viewed These Support Documents