Am I missing something really simple? Is there a way to see the source of a failed login attempt in the authentication logs on an IronPort C150?
For instance: Wed Jan 6 10:57:39 2010 Info: User XXX failed authentication.
/* Style Definitions */
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
font-family:"Times New Roman";
Did you try to set the logging level of your authentication logs to "debug"?
I'm not sure if the source address is noted but it logs a terrible lot of info. (in my case: I could retrieve the used LDAP authentication queries from the log for further testing)