This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Delay in NAC reject notification

Delay in NAC reject notification

PeterK
Contributor III

‎05-22-2020 07:12 AM

Hello,

I’m looking for a solution to have a e-mail notification, when endsystems hit reject rule, but with a kind of delay.

NAC catchall rule is configured for reject. For reject events, a alarm is configured with action e-mail.

Windows Clients running 802.1X (EAP-TLS).

As 802.1X supplicant starts when windows is started, the switch is doing a mac-auth, in pre-windows-start-time, which hits the catch-all (reject) rule.

This results in a lot of false-positive alarms, because a few seconds or minutes later (depending on system boot time and speed) the system is authenticated correctly via 802.1X.

Is there a way to create a double check or a time-delay or something in this way that the alarm is only set, when reject status occurs over 1 minute or so?

0 Kudos
1 REPLY 1

Tomasz
Valued Contributor II

‎05-22-2020 11:50 AM

Hello Peter,

 

I’m thinking out loud right now and what you could try with (when it’s possible I’d love to try this out in my environment as well):

- email digest (Consolidate Email option under Administration > Options > Alarm) so that alarms are e-mailed not as they appear but e.g. every 5 minutes; plus NAC engine notification about State Accept or State Changed that triggers a log message, which is then taken as an alarm criteria for an alarm that takes no action, but is a clearing condition for auth reject alarm you already have; sounds like a lot of steps,

- a scheduled workflow or a python script that grabs rejected end-systems and looks them up individually again after few minutes, raises an alarm only if nothing got better; might be more elegant but I’ve no idea how that gonna scale with loads of end-systems and low intervals.

These are just my quick thoughts, what do you think?

I didn’t encounter such requirement before but indeed sounds like a nice to have feature when you need to get alarms on every authentication failure that occured.

 

Hope that helps,

Tomasz

0 Kudos
GTM-P2G8KFN