While looking at the "Failed Authentication" report I have a log entry that occurs so frequently that it blocks out 'real' authentication failures. The log entry always includes the keywords "host/" (no quotes).
The ACS filter allows you to -include- only the log entries that match the RegEx expression, but -excluding- them doesn't seem as easy.
Any RegEx experts care to take a stab at an exclusion filter?
And yes, I know the better option is to stop the log entry from occuring in the first place, and/or export the reports as CSV and then filter the results in a more suitable application. Better yet, use aaa-reports from Extrati. I wanted to rule out the RegEx option first.
I've googled for "RegEx exclude" and most of the results require an intermediate-to-expert level knowledge of RegEx, and my experience begins and ends with '*' wildcards.
You can use ACS to filter CSV log reports. When you select a report type from the available reports types list, a report history (log) files list of the selected report type appears. After you select a specific CSV log file, and its contents appear, you can specify the filtering criteria. The filtering criteria is applied on the original log file, and only rows that match the criteria appear. Refer URL for more info
Thanks for the reply. The "enable PEAP / EAP-TLS Machine Authentication" setting is already un-checked, however the client IS configured for machine auth. The error message in the "Failed Attempts" log says "Machine authentication is not permitted".
We're doing PEAP with user auth (not machine auth) for our wireless users (WinXP SP2), but there is no Active Directory Group Policy for wireless users, so I can't make changes en masse to the wireless config. (Well, there is, but your AD domain needs to be Windows 2003 Native, and NOT hybrid (e.g. with any Win2000 Domain Servers - all of your DC's need to be Win2k3)) When they manually config'd the wireless clients the desktop group erronously left the 'authenticate as a machine' option checked in the wireless profile. I have 1000+ users configured at this point, so going back and manually fixing isn't an option. I have to wait for AD to be upgraded to Native mode (6+ months.)
This is why I was pursuing the RegEx filtering in ACS, but it seems that the only option is to export the ACS logs and then apply a filter.
Any other workarounds would be greatly appreciated.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...