cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4167
Views
0
Helpful
4
Replies

ACS 5.1 RADIUS authentication / AD pw failure -- missing MAC

Mike Smith
Level 1
Level 1

I've (finally) moved us away from our old ACS 3.2 box, using a local identity store, to a shiny new ACS 5.1 backed by Active Directory.

We're using the ACS primarily to authenticate our wireless users.

On our first day with the new ACS in production, I'm seeing a large number of "24408 User authentication against  Active Directory failed since user has entered the wrong password" errors in the RADIUS authentication logs.

I expected this, as users gradually enter their AD creds for authentication.

One of the things that would help our Tech Support folks would be to find out which users/machines are still using old, stored creds.

RADIUS authentication logs, however, are not giving us a MAC (or IP) address to go with the 24408 errors.

We *are* logging MACs for successful authentications as well as things like "12511 Unexpectedly received TLS alert  message; treating as a rejection by the client" errors.

Have I not config'd something on our WiSM?  Am I not supposed to be seeing MACs for 24408 errors?

TIA!

4 Replies 4

lomonaco
Level 1
Level 1

Hello Mike,

   Take a look in the Calling-Station-ID Attribute...

   If this attribute is not showing in the Logs, try to put some conditional statement like calling-station-id=* to force this attribute be showed

   in the Radius Logs....

   My Best Regards,

     Andre Lomonaco

Apologies, Andre, but I'm not following you.

Specifically, I notice this issue in the canned "Authentications - RADIUS - Today" report on the standard dashboard.

If I dig into the Catalog and do a Query and Run on Radius Authentication, I get the same result (as expected).   I don't see a place to enter that type of conditional statement.

I'm a little puzzled why most, but not all, authentication error entries are not tagged with any identifying information.

The only devices using the ACS are a Wireless Services Module and a pair of 4402 Wireless LAN Controllers.

Hi Mike,

     Try include the Radius Condition in the Service Selection Rules

     Access Policies -> Access Services -> Service Selection Rules

     Customize

     Compound Condition

     RADIUS-IETF:Called-Station-ID

     I think after that you will see this parameter in the Radius Today Logging

ACS 5.x does not support wildcard certs.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: