07-22-2010 03:19 PM - edited 03-10-2019 05:16 PM
I've (finally) moved us away from our old ACS 3.2 box, using a local identity store, to a shiny new ACS 5.1 backed by Active Directory.
We're using the ACS primarily to authenticate our wireless users.
On our first day with the new ACS in production, I'm seeing a large number of "24408 User authentication against Active Directory failed since user has entered the wrong password" errors in the RADIUS authentication logs.
I expected this, as users gradually enter their AD creds for authentication.
One of the things that would help our Tech Support folks would be to find out which users/machines are still using old, stored creds.
RADIUS authentication logs, however, are not giving us a MAC (or IP) address to go with the 24408 errors.
We *are* logging MACs for successful authentications as well as things like "12511 Unexpectedly received TLS alert message; treating as a rejection by the client" errors.
Have I not config'd something on our WiSM? Am I not supposed to be seeing MACs for 24408 errors?
TIA!
08-03-2010 05:16 AM
Hello Mike,
Take a look in the Calling-Station-ID Attribute...
If this attribute is not showing in the Logs, try to put some conditional statement like calling-station-id=* to force this attribute be showed
in the Radius Logs....
My Best Regards,
Andre Lomonaco
08-11-2010 06:16 PM
Apologies, Andre, but I'm not following you.
Specifically, I notice this issue in the canned "Authentications - RADIUS - Today" report on the standard dashboard.
If I dig into the Catalog and do a Query and Run on Radius Authentication, I get the same result (as expected). I don't see a place to enter that type of conditional statement.
I'm a little puzzled why most, but not all, authentication error entries are not tagged with any identifying information.
The only devices using the ACS are a Wireless Services Module and a pair of 4402 Wireless LAN Controllers.
08-13-2010 08:30 AM
Hi Mike,
Try include the Radius Condition in the Service Selection Rules
Access Policies -> Access Services -> Service Selection Rules
Customize
Compound Condition
RADIUS-IETF:Called-Station-ID
I think after that you will see this parameter in the Radius Today Logging
10-29-2012 03:51 PM
ACS 5.x does not support wildcard certs.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide