Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS 5.4 and windows AD (calling station ID)

We are using ACS to authenticate wireless users. wlans are set up for dot1x+cckm, and the controllers pass the user auths to ACS. ACS is integrated with windows AD for the pass/fail. Pretty standard setup, I believe. Nothing out of the ordinary.

Now for the part I'm not seeing. The domain controllers are logging to our splunk collectors. If an AD account gets locked out due to authentication failures,

our admins look at the splunk logs to try and determine which end station caused the lockout (they are shared accounts, many stations using the same account). The domain controller logs (in splunk) do show the lockout condition, but the calling station is shown as the ACS. See attached picture for an example.

I hope to this point my explanation is clear. Now for my question. Is it possible within ACS to pass the calling-station-ID attribute into AD, so that the domain controllers will log this as the end station and not ACS? Within the ACS logs, it's really easy to see the end station mac address (calling-station-ID), and if there is a way to pass this into AD and have the domain controller show it, that would be a great help for troubleshooting. We are getting asked about this, and what has been suggested is to either:

a - set up an external syslog collector (splunk) and send the authentication logs to it (do a per-instance filter to send only authentication messages to splunk), or

b - set up an admin login in ACS with only permissions to look at logs, and have them search for the account lockout messages.

while I'm not against doing that, it seems to me that if there is a way to include the calling-station-ID, then it would show up in the currently logs, and nothing more would need done, all the necessary info would be in the domain controller log.

Does what I am asking make sense? I have not pored through all the documentation of yet, and I will look it up for myself. I guess I just want to know if this is doable, with maybe a pointer to the relevant documentation. I think I've explained this the best I can, if it's still a bit nebulous I can try again.

Thanks for any help/tips - chris

1 REPLY

ACS 5.4 and windows AD (calling station ID)

I believe ACS should  pass the calling-station-ID attribute into AD:  for this we can Use the radius-server attribute 31 send nas-port-detail  command on Cisco IOS Software Release 15.x in order to enable sending  the attribute.

I have found a related doc:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/UsrDb.html#wp354105

288
Views
4
Helpful
1
Replies
CreatePlease to create content