Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4210
Views
0
Helpful
4
Replies

ACS 5.1 RADIUS authentication / AD pw failure -- missing MAC

Mike Smith
Level 1
Level 1

‎07-22-2010 03:19 PM - edited ‎03-10-2019 05:16 PM

I've (finally) moved us away from our old ACS 3.2 box, using a local identity store, to a shiny new ACS 5.1 backed by Active Directory.

We're using the ACS primarily to authenticate our wireless users.

On our first day with the new ACS in production, I'm seeing a large number of "24408 User authentication against  Active Directory failed since user has entered the wrong password" errors in the RADIUS authentication logs.

I expected this, as users gradually enter their AD creds for authentication.

One of the things that would help our Tech Support folks would be to find out which users/machines are still using old, stored creds.

RADIUS authentication logs, however, are not giving us a MAC (or IP) address to go with the 24408 errors.

We *are* logging MACs for successful authentications as well as things like "12511 Unexpectedly received TLS alert  message; treating as a rejection by the client" errors.

Have I not config'd something on our WiSM?  Am I not supposed to be seeing MACs for 24408 errors?

TIA!

Labels:
0 Helpful
4 Replies 4

lomonaco
Level 1
Level 1

‎08-03-2010 05:16 AM

Hello Mike,

   Take a look in the Calling-Station-ID Attribute...

   If this attribute is not showing in the Logs, try to put some conditional statement like calling-station-id=* to force this attribute be showed

   in the Radius Logs....

   My Best Regards,

     Andre Lomonaco

0 Helpful

Mike Smith
Level 1
Level 1
In response to lomonaco

‎08-11-2010 06:16 PM

Apologies, Andre, but I'm not following you.

Specifically, I notice this issue in the canned "Authentications - RADIUS - Today" report on the standard dashboard.

If I dig into the Catalog and do a Query and Run on Radius Authentication, I get the same result (as expected).   I don't see a place to enter that type of conditional statement.

I'm a little puzzled why most, but not all, authentication error entries are not tagged with any identifying information.

The only devices using the ACS are a Wireless Services Module and a pair of 4402 Wireless LAN Controllers.

0 Helpful

lomonaco
Level 1
Level 1
In response to Mike Smith

‎08-13-2010 08:30 AM

Hi Mike,

     Try include the Radius Condition in the Service Selection Rules

     Access Policies -> Access Services -> Service Selection Rules

     Customize

     Compound Condition

     RADIUS-IETF:Called-Station-ID

     I think after that you will see this parameter in the Radius Today Logging

0 Helpful

timd@comcast.net
Level 1
Level 1

‎10-29-2012 03:51 PM

ACS 5.x does not support wildcard certs.

0 Helpful
Customers Also Viewed These Support Documents