Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACS 5.1 RADIUS authentication / AD pw failure -- missing MAC

I've (finally) moved us away from our old ACS 3.2 box, using a local identity store, to a shiny new ACS 5.1 backed by Active Directory.

We're using the ACS primarily to authenticate our wireless users.

On our first day with the new ACS in production, I'm seeing a large number of "24408 User authentication against  Active Directory failed since user has entered the wrong password" errors in the RADIUS authentication logs.

I expected this, as users gradually enter their AD creds for authentication.

One of the things that would help our Tech Support folks would be to find out which users/machines are still using old, stored creds.

RADIUS authentication logs, however, are not giving us a MAC (or IP) address to go with the 24408 errors.

We *are* logging MACs for successful authentications as well as things like "12511 Unexpectedly received TLS alert  message; treating as a rejection by the client" errors.

Have I not config'd something on our WiSM?  Am I not supposed to be seeing MACs for 24408 errors?

TIA!

4 REPLIES
New Member

Re: ACS 5.1 RADIUS authentication / AD pw failure -- missing MAC

Hello Mike,

   Take a look in the Calling-Station-ID Attribute...

   If this attribute is not showing in the Logs, try to put some conditional statement like calling-station-id=* to force this attribute be showed

   in the Radius Logs....

   My Best Regards,

     Andre Lomonaco

New Member

Re: ACS 5.1 RADIUS authentication / AD pw failure -- missing MAC

Apologies, Andre, but I'm not following you.

Specifically, I notice this issue in the canned "Authentications - RADIUS - Today" report on the standard dashboard.

If I dig into the Catalog and do a Query and Run on Radius Authentication, I get the same result (as expected).   I don't see a place to enter that type of conditional statement.

I'm a little puzzled why most, but not all, authentication error entries are not tagged with any identifying information.

The only devices using the ACS are a Wireless Services Module and a pair of 4402 Wireless LAN Controllers.

New Member

Re: ACS 5.1 RADIUS authentication / AD pw failure -- missing MAC

Hi Mike,

     Try include the Radius Condition in the Service Selection Rules

     Access Policies -> Access Services -> Service Selection Rules

     Customize

     Compound Condition

     RADIUS-IETF:Called-Station-ID

     I think after that you will see this parameter in the Radius Today Logging

New Member

ACS 5.1 RADIUS authentication / AD pw failure -- missing MAC

ACS 5.x does not support wildcard certs.

3664
Views
0
Helpful
4
Replies