ACS 5.1 RADIUS authentication / AD pw failure -- missing MAC

Unanswered Question
Jul 22nd, 2010

I've (finally) moved us away from our old ACS 3.2 box, using a local identity store, to a shiny new ACS 5.1 backed by Active Directory.

We're using the ACS primarily to authenticate our wireless users.

On our first day with the new ACS in production, I'm seeing a large number of "24408 User authentication against  Active Directory failed since user has entered the wrong password" errors in the RADIUS authentication logs.

I expected this, as users gradually enter their AD creds for authentication.

One of the things that would help our Tech Support folks would be to find out which users/machines are still using old, stored creds.

RADIUS authentication logs, however, are not giving us a MAC (or IP) address to go with the 24408 errors.

We *are* logging MACs for successful authentications as well as things like "12511 Unexpectedly received TLS alert  message; treating as a rejection by the client" errors.

Have I not config'd something on our WiSM?  Am I not supposed to be seeing MACs for 24408 errors?

TIA!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
lomonaco Tue, 08/03/2010 - 05:16

Hello Mike,

   Take a look in the Calling-Station-ID Attribute...

   If this attribute is not showing in the Logs, try to put some conditional statement like calling-station-id=* to force this attribute be showed

   in the Radius Logs....

   My Best Regards,

     Andre Lomonaco

Mike Smith Wed, 08/11/2010 - 18:16

Apologies, Andre, but I'm not following you.

Specifically, I notice this issue in the canned "Authentications - RADIUS - Today" report on the standard dashboard.

If I dig into the Catalog and do a Query and Run on Radius Authentication, I get the same result (as expected).   I don't see a place to enter that type of conditional statement.

I'm a little puzzled why most, but not all, authentication error entries are not tagged with any identifying information.

The only devices using the ACS are a Wireless Services Module and a pair of 4402 Wireless LAN Controllers.

lomonaco Fri, 08/13/2010 - 08:30

Hi Mike,

     Try include the Radius Condition in the Service Selection Rules

     Access Policies -> Access Services -> Service Selection Rules

     Customize

     Compound Condition

     RADIUS-IETF:Called-Station-ID

     I think after that you will see this parameter in the Radius Today Logging

Actions

This Discussion

Related Content