05-04-2011 09:51 AM - edited 03-06-2019 04:54 PM
Hello,
We're using 3750 and 3550 switches with 802.1X for authenticating devices to our network and I'd like to know how many times people try to connect unauthorised devices to the network.
Ideally, I'd like the switch to send a SysLog message to our Syslog server each time a device fails authentication. Is this possible?
I can see that it's possible to syslog all authentication attempts but we have a large network and sending successful authentications would seem pointless, and the failed ones would probably just get lost in the "noise".
If the Syslog method isn't possible is there another way to acheive this?
05-04-2011 10:05 AM
Well I'm not sure about Cisco but you should be able to apply a filter the syslog server to filter the accept messages and not log them if that is what you want. Are you using syslog-ng?
05-04-2011 10:08 AM
Thanks Ian...
I hadn't considered that - We're using CiscoWorks as the SysLog server so I'm pretty confident we could filter out the successful authentication messages.
That said, there are around 8,000 devices on our network so that would still be a lot of network traffic generated by the SysLog messages.
05-04-2011 10:17 AM
True, but they are generally only plain text messages and a few bytes in size...just make sure you have plenty of bandwidth on your links
05-04-2011 11:17 AM
What level of buffer logging do you typically run? What is your baseline IOS version? I may have an alternative solution.
05-04-2011 01:12 PM
The switches are typically connected by at least 1Gbps and the SysLog server has a 1Gbps connection. Some of our remote sites only have 10Mbps links but they mostly have less than 50 devices on site.
Antonio, the switches are running IoS 12.2(35) or above and the logging options are at default.
Would be interested in hearing your idea. Thanks.
05-04-2011 03:44 PM
If your logging buffer facility is such that a %DOT1X-5-FAIL message ('logging buffered notification' or higher) is generated in the buffer whenever dot1x authentication fails, you could have Embedded Event Manger (one of my favs) to send an easy-to-find custom syslog message indicating that a failure was observed. Here's an example:
!---Let's create an EEM applet---
Switch(config)#event manager applet dot1x-fail
!---Define an event to act on, in this case a dot1x fail log message in the buffer---
Switch(config-applet)#event syslog pattern "%DOT1X-5-FAIL: Authentication failed"
!---Define what to do when we see the log message, let's send a custom syslog at warning level to the syslog server---
Switch(config-applet)#action 1.0 syslog priority warning msg "DOT1X-FAILURE on : HEY!!! SOMEONE HAS FAILED AUTHENTICATION ON 10.1.1.1!!!"
That's should do it.
Please rate if helpful
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide