Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

CALLER-ID not displayed in Failed Attempts ACS logs when RADIUS is used

Under the 'Failed Attempts' log section of ACS, why is it that when people are Authenticating via RADIUS caller-id info does not get captured. This example is true for VPN3000 and WAP's. All my other devices which uses TACACS have no problems.

1 REPLY
Cisco Employee

Re: CALLER-ID not displayed in Failed Attempts ACS logs when RAD

This is more that the devices that use Radius (your 3000 and WAP) don't send that particular attribute in their access request packets.

I just checked on a 3000 and it sends the users IP address as attribute 66, the Tunnel-Client-Endpoint (http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt6/scdradat.htm#xtocid4) which conforms to the standard, it's just a different way of doing it than IOS routers.

For the 3000, you can set up Radius Accounting by going under Config - System - Servers - Accounting and adding in your ACS server. Then on the ACS server go under System Config - Logging - Radius Accounting, and add the Tunnel-Client-Endpoint to the Logged Attributes column. Now when people connect to your 3000 it'll send accounting packets, and you can look at the Radius Accounting log on the ACS server to see their IP address. Of course, this'll only show you successful connections, not failed attempts, but unfortunately there's no way within ACS to get the Tunnel-Client-Endpoint attribute included in the Failed Attempts or the Passed Authentications log.

I'm no WAP expert but it may do a similar thing than the 3000.

352
Views
0
Helpful
1
Replies
CreatePlease to create content