Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1633
Views
4
Helpful
6
Replies

802.1X and SysLog

BlueyVIII
Level 1
Level 1

‎05-04-2011 09:51 AM - edited ‎03-06-2019 04:54 PM

Hello,

We're using 3750 and 3550 switches with 802.1X for authenticating devices to our network and I'd like to know how many times people try to connect unauthorised devices to the network.

Ideally, I'd like the switch to send a SysLog message to our Syslog server each time a device fails authentication. Is this possible?

I can see that it's possible to syslog all authentication attempts but we have a large network and sending successful authentications would seem pointless, and the failed ones would probably just get lost in the "noise".

If the Syslog method isn't possible is there another way to acheive this?

Labels:
0 Helpful
6 Replies 6

IAN WHITMORE
Level 4
Level 4

‎05-04-2011 10:05 AM

Well I'm not sure about Cisco but you should be able to apply a filter the syslog server to filter the accept messages and not log them if that is what you want. Are you using syslog-ng?

0 Helpful

BlueyVIII
Level 1
Level 1
In response to IAN WHITMORE

‎05-04-2011 10:08 AM

Thanks Ian...

I hadn't considered that - We're using CiscoWorks as the SysLog server so I'm pretty confident we could filter out the successful authentication messages.

That said, there are around 8,000 devices on our network so that would still be a lot of network traffic generated by the SysLog messages.

0 Helpful

IAN WHITMORE
Level 4
Level 4
In response to BlueyVIII

‎05-04-2011 10:17 AM

True, but they are generally only plain text messages and a few bytes in size...just make sure you have plenty of bandwidth on your links

0 Helpful

Antonio Knox
Level 7
Level 7
In response to BlueyVIII

‎05-04-2011 11:17 AM

What level of buffer logging do you typically run?  What is your baseline IOS version?  I may have an alternative solution.

0 Helpful

BlueyVIII
Level 1
Level 1
In response to Antonio Knox

‎05-04-2011 01:12 PM

The switches are typically connected by at least 1Gbps and the SysLog server has a 1Gbps connection. Some of our remote sites only have 10Mbps links but they mostly have less than 50 devices on site.

Antonio, the switches are running IoS 12.2(35) or above and the logging options are at default.

Would be interested in hearing your idea. Thanks.

0 Helpful

Antonio Knox
Level 7
Level 7
In response to BlueyVIII

‎05-04-2011 03:44 PM

If your logging buffer facility is such that a %DOT1X-5-FAIL message ('logging buffered notification' or higher) is generated in the buffer whenever dot1x authentication fails, you could have Embedded Event Manger (one of my favs) to send an easy-to-find custom syslog message indicating that a failure was observed.  Here's an example:

!---Let's create an EEM applet---

Switch(config)#event manager applet dot1x-fail

!---Define an event to act on, in this case a dot1x fail log message in the buffer---

Switch(config-applet)#event syslog pattern "%DOT1X-5-FAIL: Authentication failed"

!---Define what to do when we see the log message, let's send a custom syslog at warning level to the syslog server---

Switch(config-applet)#action 1.0 syslog priority warning msg "DOT1X-FAILURE on : HEY!!! SOMEONE HAS FAILED AUTHENTICATION ON 10.1.1.1!!!"

That's should do it.

Please rate if helpful

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card