cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

Show Failed authentication requests for management access

Show Failed authentication requests for management access

TimTom
New Contributor
Hello everybody,

is there a way to show failed authentication requests (management access) from network devices not connected to the NAC?

If the network device (e. g. a Switch) is connected to NAC (Switch is added to the NAC Appliance Group) and a user try to login with wrong credentials I can see a log entry in the "NAC Appliance Events" list.

But if I configure a device to use the NAC as radius and do not add the device to the NAC Appliance Group, I can't see an attempt to authenticate on the device.

In my opinion it would be useful to see these attempts for example to see a DOS or a wrong configured device.

Is there a way to show these attempts in any log (Syslog, NAC Appliance Events ...)

Thank you fore help.

Best regards
Tim

3 REPLIES 3

Ryan_Yacobucci
Extreme Employee
Hello,

Unfortunately if the switch is not configured in the NAC Mangers "Switches" tab the behavior of the system is to discard the RADIUS request. You can look in to the /var/log/radius/radius.log for the following message:

Sun Nov 15 22:21:00 2015 : Error: Ignoring request to authentication address 10.0.1.202 port 1812 from unknown client 10.0.1.200 port 53955

This would indicate there was a switch/device on the Network attempting to send RADIUS requests to the NAC appliance and are not configured as acceptable devices.

Unfortunately since the request is not processed the NAC cannot determine what type of authentication request is, so it won't show up in the NAC appliance events, or end system events.

Thanks
-Ryan

TimTom
New Contributor
Hello Mike,

yes I am interested only in failed attempts while a management access and only for access attempts from switches not configured on NAC.

I know that I can see a lot of informations in the debug on the NAC Webview, but I hope there is a easy access for example for hotline staff ( e. q. syslog,...).

Best regards
Stephan

Mike_Thomas
Extreme Employee
Tim, are you stating that a switch is using the client as radius access for management only, and you want a record of failed attempts to do so?
Yes, these are not considered End Station Events.
However, we may be able to view them using Webview to the NAC, or viewing it's radius logs.
But please try to confirm if this is what your asking.

GTM-P2G8KFN