Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS / Tacacs and Failed Attempts

In our aaa implementation we use tacacs with the local db as backup. Well, I'm trying to harden security. I know IOS has this nice little command:

“login on-failure log every x”

This would be great so we could at least see the syslog message and have an idea if someone is trying to get into a piece of our equipment without having to try and watch the "Failed Attemps" report in ACS - but given we are using Tacacs, the only way this will throw a message is if ACS isn't available.

I'd like to know if there is a way for ACS to give us this information. Or, to get syslog messages to get thrown.

Thanks!

6 REPLIES
New Member

Re: ACS / Tacacs and Failed Attempts

New Member

Re: ACS / Tacacs and Failed Attempts

Yep - I was just hoping for some more granularity since all of our wireless devices enterprise-wide authenticate against ACS. I only want to know about the failed tacacs attempts.

New Member

Re: ACS / Tacacs and Failed Attempts

So you only want to see syslog message for tacacs failures not for wireless auth failures. I am not sure how you would do that from ACS.

If it were me I would use a splunk syslog server and send all of the failures to it. Then in splunk I would setup a filter to only display the NAS-IP-Addresses that I was interested in.

Or if I had MARS I would setup a rule in that to look for login failures on those devices to trigger a notification.

What is your syslog server now?

New Member

Re: ACS / Tacacs and Failed Attempts

We currently use Orion.

I guess I was just hoping to keep it within that so we'd see the syslog come through, but using Splunk isn't a bad idea...

New Member

Re: ACS / Tacacs and Failed Attempts

I hear ya.

I know that acs 5 is going to be a lot more policy based on how users authenticate and what policies get applied depending on their location, etc... Hopefully the logging will offer some of the same granularity.

-Jesse

New Member

Re: ACS / Tacacs and Failed Attempts

Guess I'm stuck then.

858
Views
10
Helpful
6
Replies