Find occurances of ACS log event during authentication (specifically 24423)
We are currently running ACS 5.4 for 802.1x authentication and everything is functioning well. We authenticate by computer & user, but currently machine authentication is not enforced for user authentication. This results in the occasional situation where someone with an 802.1x enabled device can still gain access to the network by entering their user credentials when prompted for authentication.
I realize that we can set "was machine authenticated= true" in the policy to close this hole, but before we do I would like to find out how often this is happening, and by whom. There is an event ID when this happens (24423 ACS has not been able to confirm previous successful machine authentication for user in Active Directory) but I can't seem to be able to search for just this ID using the monitoring & reports viewer.
Is there a way to search the ACS logs for the event ID so I can get more information on how often this is occuring and by whom? Or is there some other way to find how often this is happening?
MAR only occurs when the machine first boots up. During boot time the machine sends its credentials to ACS and ACS retains them based on the MAR timer that you have set. Try rebooting the machine and see if that error message goes away.
Thanks for your response. My issue isn't the reason why this is error is occuring, I understand why it is, and how to resolve it.
The answer that I am looking for is how do I find the frequency that this entry appears in the ACS logs. Ultimately I want to determine the associated user and how often they are authenticating with just their user account. I can't seem to be able to search on this log ID (24423) in the ACS log & reports viewer though. Is there a way to search against the raw database for this information?
I hope this clarifies the information that I am looking for. Thanks for any assistance that you can provide.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...