07-22-2010 03:19 PM - edited 03-10-2019 05:16 PM
I've (finally) moved us away from our old ACS 3.2 box, using a local identity store, to a shiny new ACS 5.1 backed by Active Directory.
We're using the ACS primarily to authenticate our wireless users.
On our first day with the new ACS in production, I'm seeing a large number of "24408 User authentication against Active Directory failed since user has entered the wrong password" errors in the RADIUS authentication logs.
I expected this, as users gradually enter their AD creds for authentication.
One of the things that would help our Tech Support folks would be to find out which users/machines are still using old, stored creds.
RADIUS authentication logs, however, are not giving us a MAC (or IP) address to go with the 24408 errors.
We *are* logging MACs for successful authentications as well as things like "12511 Unexpectedly received TLS alert message; treating as a rejection by the client" errors.
Have I not config'd something on our WiSM? Am I not supposed to be seeing MACs for 24408 errors?
TIA!
08-03-2010 05:16 AM
Hello Mike,
Take a look in the Calling-Station-ID Attribute...
If this attribute is not showing in the Logs, try to put some conditional statement like calling-station-id=* to force this attribute be showed
in the Radius Logs....
My Best Regards,
Andre Lomonaco
08-11-2010 06:16 PM
Apologies, Andre, but I'm not following you.
Specifically, I notice this issue in the canned "Authentications - RADIUS - Today" report on the standard dashboard.
If I dig into the Catalog and do a Query and Run on Radius Authentication, I get the same result (as expected). I don't see a place to enter that type of conditional statement.
I'm a little puzzled why most, but not all, authentication error entries are not tagged with any identifying information.
The only devices using the ACS are a Wireless Services Module and a pair of 4402 Wireless LAN Controllers.
08-13-2010 08:30 AM
Hi Mike,
Try include the Radius Condition in the Service Selection Rules
Access Policies -> Access Services -> Service Selection Rules
Customize
Compound Condition
RADIUS-IETF:Called-Station-ID
I think after that you will see this parameter in the Radius Today Logging
10-29-2012 03:51 PM
ACS 5.x does not support wildcard certs.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: