ACS 4.2 not logging Failed attempts

Unanswered Question

I have 802.1x setup on a Catalyst 2950 switch with Cisco ACS 4.2 Radius server. Authentication and authorization for machine authentication is working fine. I see the records in the "passed authentication" cvs file on the ACS server. Problem is, when I test a random non authorized laptop by plugging in to a dot1x configured port, the authentication and authorization works by rejecting the laptop and the switch port remains unauthorized but the record is never logged in the "Failed Attempts" cvs file.

the only time I see entries in there is when I mess with the authorized computers credentials and kill thir authorizes status, they show up. I want to see when strangers wander up to a wall jack and try to gain access by seeing their attempts recorded.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
darpotter Thu, 05/08/2008 - 02:09

Check in the CSRadius service log. ALthough it shouldnt.. it probably depends how the overall authentication sequence is failing.

Sometimes errors mid-protocol cause the whole atempt to be aborted - in which case you might not see anything in the failed attempts.

If you try geniune laptop but enter the wrong password do you see a failure?

The Radius logs are only recording Start and Stops, which I also tried the switch to capture with the aaa accounting commands. Nothing there.

the authentication is Machine auth, using a certificate in AD. The Radius server(ACS) is configured to use external authentication and I have it setup with group mappings. When I intentially misconfigure that to get the laptop with the valid cert to fail its credentials, I do see the failed attempts. which tells me that the logging is working, but only for failed attempts by valid computers and that's of almost not use to me. I need to see when anonymous users are attempting the same thing. I am using a spare laptop that is not configured on my domain and therefore does not have a machine certificate.

I have gone back and forth with the switch config and have used guest-vlans, and no guest-vlans. The switchport AuthSM State always stays at "Connecting" and the PortStatus is at "Unauthorized" Which is the defualt it starts in. When I am using guest-vlans the port eventually goes to connected but its in the Guest-vlan. That tells me the switch is going through the EAP messages and determines there is no valid auth. In-fact I even see EAP-Fail in the debug dot1x outputs. So why would that not be logged on the Radius Server. The laptop pops up messages saying it couldn't find a valid certificate and in the network connections the interface status shows failed authentication. So windows is failing authentication.

More to this behavior....

I turned on debugging...

debug aaa accounting

Unplugged the rogue laptop and waited for my output. Nothing, no output.

Unplugged the valid computer and got lots of output. I read that the dot1x accounting records begin at a succesful auth with a start and endd with a stop when the computer logs out or shuts down.

Fine, so accounting doesn't work there but I should at least get authentication failures. So I turned off accounting debugs and turned on aaa authentication deubugs

debug aaa authentication.

Same drill, plugged in the rogue laptop and waited for output. Again, nothing. Not a single line. Now I'm pretty sure I should see aaa authentication debugs no matter what because I have aaa authentication dot1x enabled.

I unplugged my valid computer and plugged it in and saw lots of output from the debug.

This whole process only seems to work when i am testing an actual valid computer. This is driving me nuts. I'm trying to understand the process but fail to see why it only works with authenticated computers.

Jagdeep Gambhir Thu, 05/08/2008 - 07:07

Did you notice the same behavior in previous codes ? It should log when rouge system made an attempt to connect. It can be a new bug that needs to be investigated.

I would suggest to open a tac case.



I opened a TAC case yesterday. TAC wanted me to run a CSSupport script that packages a bunch of files into a file and send to him. the script did not create this, it created a bunch of files, one of which was 3GB. I emailed them back about this and have yet to get a response from them. Their response seems to be they ask me a question one day, I respond immediately, and they reply one more day later.

I didn't run a previous version. I just recently purchased this for the first time and got the 4.2 download from Cisco to install from scratch.

Yeah, I agree, why would the attempts not even show up in the debug for the rogue system but it will for the valid computer.

I'm reinstalling ACS from scratch again. I've hacked it so much this past week with efforts to clear this that I need to start fresh again.

Jagdeep Gambhir Thu, 05/08/2008 - 07:41

While running that script there is a option where you can set " Collect previous one day log only" . Make sure that is set to 1 day, recreate issue and get the new package.

If still it is huge, I suggest you to send these file from to tac.

Most recent : auth.log, rds.log, msinfo, radius accounting, failed and passed attempts.

Also if you have spare computer to test 4.1 behavior, I wud suggest to do so.

Note: In severity 3 cases it is not necessary that engineer will respond realtime, it depends of eng shift hours and workload.

For urgent issue you have option to call engineer or CRC and if needed raise the severity and have next available engineer to assist you.



Thanks for the response. I did select to only include the current day. some of the files are still huge. I'll send those files to them instead.

I will also try 4.1 as well to see.

What I thought was interresting was that the 2950 switch was not producing any output at all from either of the debugs I set

debug aaa accounting

debug aaa authentication

when I was testing the one switch port that the invalid computer was set to.

I just flashed the 2950 to 12.1(22).EA11 from EA10 but still no results.

I installed wireshark on the Radius server and then ran a packet capture. I initiated a re-authentication of a valid workstation port and saw the Access-Requests, Responses, Challenges, Accept, etc. The whole process runs as expected, which of course results in log entries on the Radius Server in the "passed authentication" log. I then initialized a re-auth of a port for the rogue laptop and saw not a single packet get captured. The cisco switch is simply not generating anything at all. Its definitely doing what its supposed to, and that's keep the port unauthorized but its also technically a failed attempt, and EAP fail. What's the point in having logging and failed attempts for access controls and not being able to see unauthorized devices trying to access the switchport?

The problem I think lies in the switch. Debug dot1x is the only output displayed in the console when trying auth-ing this rogue laptop port. Debugging Radius, accounting, or any of hte above definetely don't produce a single output.

However, If the Radius server passes the requests to AD for a valid computer certificate, AD would have to send back a failure of some kind so the switch knows to keep the port unauthorized. The dot1x debugs in the switch show the EAP-fails. How am I supposed to get Cisco ACS to log that failed authentication attempt?

Jagdeep Gambhir Thu, 05/08/2008 - 18:58

How would switch know that the connected PC is rouge ?

Try connecting a new laptop (which was never authenticated before) and see if switch forwards request to acs.



How would the switch know? It forwards the auth request to ACS, which queries its externally configured NT domain for a valid domain computer cert.

By the fact that the computer is not a domain menmber. And how would it know that? Because of a computer cert that is issued to only domain computers when they joined the domain.


This Discussion