We are using ACS to authenticate wireless users. wlans are set up for dot1x+cckm, and the controllers pass the user auths to ACS. ACS is integrated with windows AD for the pass/fail. Pretty standard setup, I believe. Nothing out of the ordinary.
Now for the part I'm not seeing. The domain controllers are logging to our splunk collectors. If an AD account gets locked out due to authentication failures,
our admins look at the splunk logs to try and determine which end station caused the lockout (they are shared accounts, many stations using the same account). The domain controller logs (in splunk) do show the lockout condition, but the calling station is shown as the ACS. See attached picture for an example.
I hope to this point my explanation is clear. Now for my question. Is it possible within ACS to pass the calling-station-ID attribute into AD, so that the domain controllers will log this as the end station and not ACS? Within the ACS logs, it's really easy to see the end station mac address (calling-station-ID), and if there is a way to pass this into AD and have the domain controller show it, that would be a great help for troubleshooting. We are getting asked about this, and what has been suggested is to either:
a - set up an external syslog collector (splunk) and send the authentication logs to it (do a per-instance filter to send only authentication messages to splunk), or
b - set up an admin login in ACS with only permissions to look at logs, and have them search for the account lockout messages.
while I'm not against doing that, it seems to me that if there is a way to include the calling-station-ID, then it would show up in the currently logs, and nothing more would need done, all the necessary info would be in the domain controller log.
Does what I am asking make sense? I have not pored through all the documentation of yet, and I will look it up for myself. I guess I just want to know if this is doable, with maybe a pointer to the relevant documentation. I think I've explained this the best I can, if it's still a bit nebulous I can try again.
I believe ACS should pass the calling-station-ID attribute into AD: for this we can Use the radius-server attribute 31 send nas-port-detail command on Cisco IOS Software Release 15.x in order to enable sending the attribute.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :