Delay in NAC reject notification

  • 22 May 2020
  • 1 reply

Userlevel 4


I’m looking for a solution to have a e-mail notification, when endsystems hit reject rule, but with a kind of delay.

NAC catchall rule is configured for reject. For reject events, a alarm is configured with action e-mail.

Windows Clients running 802.1X (EAP-TLS).

As 802.1X supplicant starts when windows is started, the switch is doing a mac-auth, in pre-windows-start-time, which hits the catch-all (reject) rule.

This results in a lot of false-positive alarms, because a few seconds or minutes later (depending on system boot time and speed) the system is authenticated correctly via 802.1X.

Is there a way to create a double check or a time-delay or something in this way that the alarm is only set, when reject status occurs over 1 minute or so?

1 reply

Userlevel 6

Hello Peter,


I’m thinking out loud right now and what you could try with (when it’s possible I’d love to try this out in my environment as well):

- email digest (Consolidate Email option under Administration > Options > Alarm) so that alarms are e-mailed not as they appear but e.g. every 5 minutes; plus NAC engine notification about State Accept or State Changed that triggers a log message, which is then taken as an alarm criteria for an alarm that takes no action, but is a clearing condition for auth reject alarm you already have; sounds like a lot of steps,

- a scheduled workflow or a python script that grabs rejected end-systems and looks them up individually again after few minutes, raises an alarm only if nothing got better; might be more elegant but I’ve no idea how that gonna scale with loads of end-systems and low intervals.

These are just my quick thoughts, what do you think?

I didn’t encounter such requirement before but indeed sounds like a nice to have feature when you need to get alarms on every authentication failure that occured.


Hope that helps,