ACS / Tacacs and Failed Attempts

Unanswered Question
Mar 16th, 2009
User Badges:

In our aaa implementation we use tacacs with the local db as backup. Well, I'm trying to harden security. I know IOS has this nice little command:

“login on-failure log every x”

This would be great so we could at least see the syslog message and have an idea if someone is trying to get into a piece of our equipment without having to try and watch the "Failed Attemps" report in ACS - but given we are using Tacacs, the only way this will throw a message is if ACS isn't available.

I'd like to know if there is a way for ACS to give us this information. Or, to get syslog messages to get thrown.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
soldnermichael Wed, 03/18/2009 - 09:19
User Badges:

Yep - I was just hoping for some more granularity since all of our wireless devices enterprise-wide authenticate against ACS. I only want to know about the failed tacacs attempts.

Jesse Wiener Wed, 03/18/2009 - 09:38
User Badges:

So you only want to see syslog message for tacacs failures not for wireless auth failures. I am not sure how you would do that from ACS.

If it were me I would use a splunk syslog server and send all of the failures to it. Then in splunk I would setup a filter to only display the NAS-IP-Addresses that I was interested in.

Or if I had MARS I would setup a rule in that to look for login failures on those devices to trigger a notification.

What is your syslog server now?

soldnermichael Wed, 03/18/2009 - 09:45
User Badges:

We currently use Orion.

I guess I was just hoping to keep it within that so we'd see the syslog come through, but using Splunk isn't a bad idea...

Jesse Wiener Wed, 03/18/2009 - 10:13
User Badges:

I hear ya.

I know that acs 5 is going to be a lot more policy based on how users authenticate and what policies get applied depending on their location, etc... Hopefully the logging will offer some of the same granularity.



This Discussion