Show Failed authentication requests for management access
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎11-10-2015 08:46 AM
Hello everybody,
is there a way to show failed authentication requests (management access) from network devices not connected to the NAC?
If the network device (e. g. a Switch) is connected to NAC (Switch is added to the NAC Appliance Group) and a user try to login with wrong credentials I can see a log entry in the "NAC Appliance Events" list.
But if I configure a device to use the NAC as radius and do not add the device to the NAC Appliance Group, I can't see an attempt to authenticate on the device.
In my opinion it would be useful to see these attempts for example to see a DOS or a wrong configured device.
Is there a way to show these attempts in any log (Syslog, NAC Appliance Events ...)
Thank you fore help.
Best regards
Tim
is there a way to show failed authentication requests (management access) from network devices not connected to the NAC?
If the network device (e. g. a Switch) is connected to NAC (Switch is added to the NAC Appliance Group) and a user try to login with wrong credentials I can see a log entry in the "NAC Appliance Events" list.
But if I configure a device to use the NAC as radius and do not add the device to the NAC Appliance Group, I can't see an attempt to authenticate on the device.
In my opinion it would be useful to see these attempts for example to see a DOS or a wrong configured device.
Is there a way to show these attempts in any log (Syslog, NAC Appliance Events ...)
Thank you fore help.
Best regards
Tim
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎11-16-2015 02:26 AM
Hello,
Unfortunately if the switch is not configured in the NAC Mangers "Switches" tab the behavior of the system is to discard the RADIUS request. You can look in to the /var/log/radius/radius.log for the following message:
Sun Nov 15 22:21:00 2015 : Error: Ignoring request to authentication address 10.0.1.202 port 1812 from unknown client 10.0.1.200 port 53955
This would indicate there was a switch/device on the Network attempting to send RADIUS requests to the NAC appliance and are not configured as acceptable devices.
Unfortunately since the request is not processed the NAC cannot determine what type of authentication request is, so it won't show up in the NAC appliance events, or end system events.
Thanks
-Ryan
Unfortunately if the switch is not configured in the NAC Mangers "Switches" tab the behavior of the system is to discard the RADIUS request. You can look in to the /var/log/radius/radius.log for the following message:
Sun Nov 15 22:21:00 2015 : Error: Ignoring request to authentication address 10.0.1.202 port 1812 from unknown client 10.0.1.200 port 53955
This would indicate there was a switch/device on the Network attempting to send RADIUS requests to the NAC appliance and are not configured as acceptable devices.
Unfortunately since the request is not processed the NAC cannot determine what type of authentication request is, so it won't show up in the NAC appliance events, or end system events.
Thanks
-Ryan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎11-15-2015 08:25 PM
Hello Mike,
yes I am interested only in failed attempts while a management access and only for access attempts from switches not configured on NAC.
I know that I can see a lot of informations in the debug on the NAC Webview, but I hope there is a easy access for example for hotline staff ( e. q. syslog,...).
Best regards
Stephan
yes I am interested only in failed attempts while a management access and only for access attempts from switches not configured on NAC.
I know that I can see a lot of informations in the debug on the NAC Webview, but I hope there is a easy access for example for hotline staff ( e. q. syslog,...).
Best regards
Stephan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎11-13-2015 11:56 AM
Tim, are you stating that a switch is using the client as radius access for management only, and you want a record of failed attempts to do so?
Yes, these are not considered End Station Events.
However, we may be able to view them using Webview to the NAC, or viewing it's radius logs.
But please try to confirm if this is what your asking.
Yes, these are not considered End Station Events.
However, we may be able to view them using Webview to the NAC, or viewing it's radius logs.
But please try to confirm if this is what your asking.
