Locating failed wireless login attempts and which access point they're hitting
We have a cisco 5508 WLC with about 190 access points. They use Cisco Secure ACS to authenticate Microsoft Active Directory logins. We sometimes get non-normal accounts attempting to login to our wireless but are unable to figure out which access point they're hitting.
When I look at the failed attempts in our Cisco Secure ACS 5.5 Radius Authentications report, I don't see an IP address, just the MAC address of the failing device. Is their a way to configure either the WLC or the ACS box to report either the IP address or MAC address of the access point they're connecting to?
If you look at the details of a particular authentication attempt you will see "Called-Station-ID=" which will be followed by the mac address of the radio interface of of the AP the client connected to followed by the ssid they connected to. It's in the 'Other Attributes' section.
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...