Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
452
Views
5
Helpful
5
Replies

Switch logs buffering up when PCs go to sleep

Go to solution
Zakitis
Level 1
Level 1

‎01-10-2024 02:33 AM

Hi guys,

I'm implementing NAC on my organisation's nodes and I've noticed that every time a PC goes to sleep it creates an authentication log on the switch that multiplied by various PCs connected, it fills up the log buffer with multiple lines like the below:

Jan 10 06:44:08.267 GMT: %DOT1X-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (aaaa.bbbb.cccc) with reason (No Response from Client) on Interface Gi1/0/1 AuditSessionID #########################

I am wondering if there is any way of discarding these specific events as it overlaps with other logs.

I'd appreciate any suggestions.

Here's my default port build:

 

SWNAME-9200-E1#

interface GigabitEthernet1/0/1
description ** NODE/PORT_ID **
switchport access vlan DATA_VLAN
switchport mode access
switchport voice vlan VOICE_VLAN
switchport port-security maximum 3
switchport port-security violation protect
switchport port-security aging time 2
switchport port-security aging type inactivity
switchport port-security
no logging event link-status
authentication event fail action authorize vlan NAC_VLAN
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event no-response action authorize vlan NAC_VLAN
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 600
authentication timer unauthorized 60
authentication violation replace
mab
trust device cisco-phone
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 5
storm-control broadcast level bps 20m
storm-control multicast level bps 25m
storm-control action trap
auto qos voip cisco-phone
macro description AccessEdgeQoS
spanning-tree portfast
service-policy input AutoQos-4.0-CiscoPhone-Input-Policy
service-policy output AutoQos-4.0-Output-Policy
ip dhcp snooping limit rate 30
end

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Georg Pauwen
VIP
VIP

‎01-10-2024 05:48 AM

Hello,

a logging discriminator as suggested by @Zakitis is definitely a good idea. In order to not drop all DOT1X-5-FAIL syslog messages, you could add something to the 'msg-body', such as 'Response' (something that is unique to the specific logs you don't want to see), and which will allow other relevant DOT1X logs to still show up.

logging discriminator DOT1X facility drops DOT1X-5-FAIL msg-body drops Response

Apply the logging discriminator:

SWNAME-9200-E1(config)#logging buffered discriminator DOT1X 100000
SWNAME-9200-E1(config)#logging console discriminator DOT1X
SWNAME-9200-E1(config)#logging monitor discriminator DOT1X
SWNAME-9200-E1(config)#logging host <IP_ADDRESS> discriminator DOT1X

 

View solution in original post

5 Replies 5

Go to solution
marce1000
VIP
VIP

‎01-10-2024 02:46 AM

 

  - Have a look at  https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/esm/configuration/xe-16-5/esm-xe-16-5-book/reliable-del-filter.html#GUID-7E6C6FC3-7050-49F3-A2E3-CD980957B255

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Go to solution
Zakitis
Level 1
Level 1
In response to marce1000

‎01-10-2024 03:49 AM

Thank you!

I am testing this with one of my nodes. I have applied it as follows:

logging discriminator noresponse facility includes %DOT1X-5-FAIL(:)

I'm aware that it will discriminate everything that contains %DOT1XFAIL(:), which will also include possibly relevant authentication logs. 

Go to solution
MHM Cisco World
VIP
VIP

‎01-10-2024 03:00 AM

friend as I mention before 
port security  with 802.1x have many restriction 
so only for one port remove the port-security 
and check MAC and log for that port 

MHM

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP

‎01-10-2024 05:48 AM

Hello,

a logging discriminator as suggested by @Zakitis is definitely a good idea. In order to not drop all DOT1X-5-FAIL syslog messages, you could add something to the 'msg-body', such as 'Response' (something that is unique to the specific logs you don't want to see), and which will allow other relevant DOT1X logs to still show up.

logging discriminator DOT1X facility drops DOT1X-5-FAIL msg-body drops Response

Apply the logging discriminator:

SWNAME-9200-E1(config)#logging buffered discriminator DOT1X 100000
SWNAME-9200-E1(config)#logging console discriminator DOT1X
SWNAME-9200-E1(config)#logging monitor discriminator DOT1X
SWNAME-9200-E1(config)#logging host <IP_ADDRESS> discriminator DOT1X

 

Go to solution
Zakitis
Level 1
Level 1
In response to Georg Pauwen

‎01-10-2024 06:12 AM

Thanks a lot!

That's very helpful.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card