Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
268
Views
0
Helpful
1
Replies

Unknown User in "Failed Attempts" Log

sometechguy
Level 1
Level 1

‎11-07-2007 08:40 AM - edited ‎07-03-2021 02:54 PM

The "Failed Attempts" log on the ACS 4.1 began showing entries that I do not understand. The backend is Active Directory.

Basically, the entry it is in this format:

date,time,authen failed,foreigndomain\user,localadmingroupname,callerid,External DB user invalid or bad password,... etc.

This is what I don't understand: It appears that the "foreigndomain\user" entry must be a foreign device that is trying to authenticate to our wireless environment (PEAP). But why is it showing the group name as our ACS administrators group!? Shouldn't it see the "foreigndomain\user" as another group like "Default Group"? I have the "\Default" group mapping set to "Default Group".

Thank you.

Labels:
0 Helpful
1 Reply 1

tjlavelle7
Level 1
Level 1

‎11-08-2007 03:00 AM

we have a similar thing occur when a group mapping cannot be found, it logs the failed attempt against the first group in ACS.

Is "group 1" named "ACS administrators"?

I don't think it means much as I assume group mapping only occurs if an authentication attempt is successful?? It seems there is bug in that ACS needs to put something in the log entry for group and so uses the first group name rather than N/A, blank, or something to that effect.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card