CALLER-ID not displayed in Failed Attempts ACS logs when RADIUS is used

zabbas · ‎01-07-2003

Under the 'Failed Attempts' log section of ACS, why is it that when people are Authenticating via RADIUS caller-id info does not get captured. This example is true for VPN3000 and WAP's. All my other devices which uses TACACS have no problems.

gfullage · ‎01-07-2003

This is more that the devices that use Radius (your 3000 and WAP) don't send that particular attribute in their access request packets.

I just checked on a 3000 and it sends the users IP address as attribute 66, the Tunnel-Client-Endpoint (http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt6/scdradat.htm#xtocid4) which conforms to the standard, it's just a different way of doing it than IOS routers.

For the 3000, you can set up Radius Accounting by going under Config - System - Servers - Accounting and adding in your ACS server. Then on the ACS server go under System Config - Logging - Radius Accounting, and add the Tunnel-Client-Endpoint to the Logged Attributes column. Now when people connect to your 3000 it'll send accounting packets, and you can look at the Radius Accounting log on the ACS server to see their IP address. Of course, this'll only show you successful connections, not failed attempts, but unfortunately there's no way within ACS to get the Tunnel-Client-Endpoint attribute included in the Failed Attempts or the Passed Authentications log.

I'm no WAP expert but it may do a similar thing than the 3000.