01-10-2024 02:33 AM
Hi guys,
I'm implementing NAC on my organisation's nodes and I've noticed that every time a PC goes to sleep it creates an authentication log on the switch that multiplied by various PCs connected, it fills up the log buffer with multiple lines like the below:
Jan 10 06:44:08.267 GMT: %DOT1X-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (aaaa.bbbb.cccc) with reason (No Response from Client) on Interface Gi1/0/1 AuditSessionID #########################
I am wondering if there is any way of discarding these specific events as it overlaps with other logs.
I'd appreciate any suggestions.
Here's my default port build:
SWNAME-9200-E1#
interface GigabitEthernet1/0/1
description ** NODE/PORT_ID **
switchport access vlan DATA_VLAN
switchport mode access
switchport voice vlan VOICE_VLAN
switchport port-security maximum 3
switchport port-security violation protect
switchport port-security aging time 2
switchport port-security aging type inactivity
switchport port-security
no logging event link-status
authentication event fail action authorize vlan NAC_VLAN
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event no-response action authorize vlan NAC_VLAN
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 600
authentication timer unauthorized 60
authentication violation replace
mab
trust device cisco-phone
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 5
storm-control broadcast level bps 20m
storm-control multicast level bps 25m
storm-control action trap
auto qos voip cisco-phone
macro description AccessEdgeQoS
spanning-tree portfast
service-policy input AutoQos-4.0-CiscoPhone-Input-Policy
service-policy output AutoQos-4.0-Output-Policy
ip dhcp snooping limit rate 30
end
Solved! Go to Solution.
01-10-2024 05:48 AM
Hello,
a logging discriminator as suggested by @Zakitis is definitely a good idea. In order to not drop all DOT1X-5-FAIL syslog messages, you could add something to the 'msg-body', such as 'Response' (something that is unique to the specific logs you don't want to see), and which will allow other relevant DOT1X logs to still show up.
logging discriminator DOT1X facility drops DOT1X-5-FAIL msg-body drops Response
Apply the logging discriminator:
SWNAME-9200-E1(config)#logging buffered discriminator DOT1X 100000
SWNAME-9200-E1(config)#logging console discriminator DOT1X
SWNAME-9200-E1(config)#logging monitor discriminator DOT1X
SWNAME-9200-E1(config)#logging host <IP_ADDRESS> discriminator DOT1X
01-10-2024 02:46 AM
M.
01-10-2024 03:49 AM
Thank you!
I am testing this with one of my nodes. I have applied it as follows:
logging discriminator noresponse facility includes %DOT1X-5-FAIL(:)
I'm aware that it will discriminate everything that contains %DOT1XFAIL(:), which will also include possibly relevant authentication logs.
01-10-2024 03:00 AM
friend as I mention before
port security with 802.1x have many restriction
so only for one port remove the port-security
and check MAC and log for that port
MHM
01-10-2024 05:48 AM
Hello,
a logging discriminator as suggested by @Zakitis is definitely a good idea. In order to not drop all DOT1X-5-FAIL syslog messages, you could add something to the 'msg-body', such as 'Response' (something that is unique to the specific logs you don't want to see), and which will allow other relevant DOT1X logs to still show up.
logging discriminator DOT1X facility drops DOT1X-5-FAIL msg-body drops Response
Apply the logging discriminator:
SWNAME-9200-E1(config)#logging buffered discriminator DOT1X 100000
SWNAME-9200-E1(config)#logging console discriminator DOT1X
SWNAME-9200-E1(config)#logging monitor discriminator DOT1X
SWNAME-9200-E1(config)#logging host <IP_ADDRESS> discriminator DOT1X
01-10-2024 06:12 AM
Thanks a lot!
That's very helpful.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide