Show Failed authentication requests for management access

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered
Hello everybody, 

is there a way to show failed authentication requests  (management access) from network devices not connected to the NAC?

If the network device (e. g. a Switch) is connected to NAC (Switch is added to the NAC Appliance Group)  and a user try to login with wrong credentials I can see a log entry in the "NAC Appliance Events" list.

But if I configure a device to use the NAC as radius and do not add the device to the NAC Appliance Group, I can't see an attempt to authenticate on the device.

In my opinion it would be useful to see these attempts for example to see a DOS or a wrong configured device.

Is there a way to show these attempts in any log (Syslog, NAC Appliance Events ...)

Thank you fore help.

Best regards
Tim
Photo of TimTom

TimTom

  • 110 Points 100 badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Mike Thomas

Mike Thomas, Employee - GTAC - NMS

  • 7,650 Points 5k badge 2x thumb
Tim, are you stating that a switch is using the client as radius access for management only, and you want a record of failed attempts to do so?
Yes, these are not considered End Station Events.
However, we may be able to view them using Webview to the NAC, or viewing it's radius logs.
But please try to confirm if this is what your asking.
Photo of TimTom

TimTom

  • 110 Points 100 badge 2x thumb
Hello Mike,

yes I am interested only in failed attempts while a management access and only for access attempts from switches not configured on NAC. 

I know that I can see a lot of informations in the debug on the NAC Webview, but I hope there is a easy access for example for hotline staff ( e. q. syslog,...).

Best regards
Stephan
Photo of Yacobucci, Ryan

Yacobucci, Ryan, Multi-Tier Technical Support Engineer

  • 5,470 Points 5k badge 2x thumb
Hello,

Unfortunately if the switch is not configured in the NAC Mangers "Switches" tab the behavior of the system is to discard the RADIUS request. You can look in to the /var/log/radius/radius.log for the following message: 

Sun Nov 15 22:21:00 2015 : Error: Ignoring request to authentication address 10.0.1.202 port 1812 from unknown client 10.0.1.200 port 53955

This would indicate there was a switch/device on the Network attempting to send RADIUS requests to the NAC appliance and are not configured as acceptable devices.

Unfortunately since the request is not processed the NAC cannot determine what type of authentication request is, so it won't show up in the NAC appliance events, or end system events. 

Thanks
-Ryan