I Currently have a 4507 switch running 122-25.EWA4. I have enabled the login on-failure command for syslog and traps. When a failed login occurs I see it in the syslog just fine but I never see a trap generated. I know traps are working for other commands on the switch (ie running config viewed).
login on-success log
A default login delay of 1 seconds is applied.
Quiet-Mode access list 25 is applied.
All successful login is logged.
All failed login is logged and generate SNMP traps.
Router enabled to watch for login Attacks.
If more than 5 login failures occur in 30 seconds or less,
logins will be disabled for 120 seconds.
Router presently in Normal-Mode.
Current Watch Window remaining time 21 seconds.
Present login failure count 0.
278250: May 14 16:33:15.602: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: JoeUser] [Source: 192.168.1.1] [localport: 22] [Reason: Login Authentication Failed] at 16:33:15 East_US Mon May
Seems the Traps are never generated on login on-sucess and login on-failure. I have seen this issue many times and the only workaround seems to be available is to use Syslog and than use the syslog trap to forward it as snmp trap.
Seems, currently, SNMP traps are not supported by IOS, for which the above enhancement defect had been raised.
The login on-failure command you are trying to use is for logging to syslog and is not supported for SNMP traps. As a possible workaround, you can use that and then enable syslog traps to be notified of when login failure occurs.
Also, the correct syntax is "login on-failure log" and must be preceded by a login block-for command to enable login functionality. Please see the following document for more details and for instructions on syslog logging on failed logins:
As a final confirmation from enhancement team, on this feature with SNMP traps for login failures, is not available in the IOS and the command which indicates the functionality will be removed in all future releases. The documentation will also be corrected appropriately.
**Rating Encourages contributors, and its really free. **
For clarity, I thought the OP is saying the syslog-to-snmptrap part (ala the "snmp-server enable traps syslog" line) does not appear to generate traps concerning SEC_LOGIN-4-LOGIN_FAILED. That syslog-to-snmptrap part should work in IOS though, since another user had gotten it working before (https://supportforums.cisco.com/thread/2062890).
Do you have "logging history #" configured? Given https://supportforums.cisco.com/thread/2062890, I figure you would not get snmp traps about SEC_LOGIN-4-LOGIN_FAILED if you have "logging history [1/2/3]" configured. However, the default "logging history 4" should be fine.
Hi yjdabear, Thank you for your replies. I do have logging history set to level 4. I am still not seeing traps generated even using the 'syslog method' for the login failures. here is a snipit of my logging
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...