Cisco Support Community
Community Member

Find occurances of ACS log event during authentication (specifically 24423)


We are currently running ACS 5.4 for 802.1x authentication and everything is functioning well.  We authenticate by computer & user, but currently machine authentication is not enforced for user authentication.  This results in the occasional situation where someone with an 802.1x enabled device can still gain access to the network by entering their user credentials when prompted for authentication.

I realize that we can set "was machine authenticated= true" in the policy to close this hole, but before we do I would like to find out how often this is happening, and by whom.  There is an event ID when this happens (24423  ACS has not been able to confirm previous successful machine authentication for user in Active Directory) but I can't seem to be able to search for just this ID using the monitoring & reports viewer.

Is there a way to search the ACS logs for the event ID so I can get more information on how often this is occuring and by whom?  Or is there some other way to find how often this is happening?



MAR only occurs when the

MAR only occurs when the machine first boots up. During boot time the machine sends its credentials to ACS and ACS retains them based on the MAR timer that you have set. Try rebooting the machine and see if that error message goes away.

Community Member

 Thanks for your response.


Thanks for your response.  My issue isn't the reason why this is error is occuring, I understand why it is, and how to resolve it.  

The answer that I am looking for is how do I find the frequency that this entry appears in the ACS logs.  Ultimately I want to determine the associated user and how often they are authenticating with just their user account.  I can't seem to be able to search on this log ID (24423) in the ACS log & reports viewer though.  Is there a way to search against the raw database for this information?

I hope this clarifies the information that I am looking for.  Thanks for any assistance that you can provide.

Cisco Employee

Have you tried to run a query

Have you tried to run a query under Monitoring & Reports > Reports > Catalog > Failure Reason.
there are 3 options.
Let me know if that helps.
Jatin Katyal
*Do rate helpful posts*
~Jatin Katyal
CreatePlease to create content