AAA/Identity/Nac :: ACS V5.1 View Not Showing Full Admin Logs?
May 18, 2011
I am having trouble viewing all the Administration logs in ACS View. I have my Local Log Target set to a Maximum log retention period of 90 days. In ACS View I can display authentications that go back 90 days + However when I try and display the "ACS_Configuration_Audit" in View and perform a Custom query that goes back 90 days it will only display about 35 days of Admin logs.I know the logs are there because when I go into CLI and do a search like "show logging | i "ObjectType=Administrator Account" the Administration logs go back over a year.why ACS View cannot display all the Admin logs?The ACS is running v5.1.0.44 Patch 6 (Also experiencing this in a v5.2 ACS as well)
We recently had to rebuild our ACS server. Now when we have an 802.1x authentication failure and look at the RADIUS logs for the specific user, it does not show us the MAC address of the device the user tried to login with. We use this all the time because users have PDAs and other mobile devices that they save their passwords on. Then when they change their domain password on their laptop, they don't change it on their PDA which then tries to authenticate them using the wrong password and eventually locks them out. We need to see the MAC address so we can pinpoint which device is causing the lockout. The report I am generating is when you go to this location: Monitoring & Reports > ... > Reports > Catalog > User > User_Authentication_Summary
view a history of IPs that have connected to my computer. Specifically those that accessed my computer through a remote desktop connection? I believe I can check and see the ip while someone is connected but not after they disconnected.
I have a Wireless LAN Controller 4402 and WCS 7.0, and I have a few MAC addresses that are "disabled" due to policy violations. How can I view a log or a report that will show me if these MAC addresses are still attempting to connect?
As I've seen in my Linksys' admin panel, I have a log option (Administration/Log). So if I enabled it i can check which sites was browsed in my home network?And the second question: if Linksys can store the browsed sites history and if I will use a VPN connection on my PC or iPhone (not router!) the logs will be still look like before setting-up VPN on PC? So like: [URL] not like: [URL]?
Now, I use Catalyst WS-C3750G-12S-S as BGP router. But it is switch do not support in higher 65535 (32 bit asn). In future, I plan to use two or three ISP (each will be connected through 1Gb uplink). I need a router, who will be support 32 bit AS number and work with two or three full view BGP tables. I look at Cisco 3900 series, and ASR1002F.
We have below queries regarding new version of ACS 5.3.
a) Is it possible to view real time logs for AAA clients and for ACS administrator?
b) Is it possible to track each and every change record for ACS Administrators and sessions in ACS . Ex addition and deletion of commands in command sets. As of now, we are able to see that config has changed by ACS admin but not able to see which commands are changed (Added or Removed)
c) As per user guide of ACS 5.3, we have an option for creating customized reports but unfortunately we are not able to see same option in ACS 5.3 GUI. Need confirmation on the same.
d) Is it possible to do configuration changes for ACS via Command line.
We have a Cisco 4404 WLC and and about 70 Cisco 1131 APs. I am very new to the Cisco WLC and I need to know how to view its AP registration and unregistration logs. We have a AP that has unregistered and we can't seem to find what switchport it was attached to. It would be useful to know the IP address and ideally any CDP information it had. Unfortunately you can only view this information in the WLC if the AP is registered, but at this point it is not.
I've noticed in the mornings lately when I get up around 6 am my internet will not work. Not on wireless or on my desktop. I decided I'd log into the router to see if there was a firmware update or anything. I had checked the logs and there are quite a few entries relating to DoS. I googled around and saw that it could be some sort of packet loss and the router is mistaking it for some sort of DoS attack. And that due to it not showing up multiple times every second it likely isn't a DoS attack. Here is a few from the logs:
I'm standing beside my wireless access point with my laptop. It shows full signal in my laptop but I cannot connect to internet. I clicked on the view available networks and then the SSID names, typed my network key, and clicked "connect". It keeps on connecting, connecting and finally disappears and WAN connection remains with crossed mark. But it shows full signal in laptop and I'm standing beside the WAP.
OK, so just mooching around in the pages of my switch, a 24 port switch and it has in the logs:
268InfoMay 15 22:43:51NIMInterface 26 is Link Down 269InfoMay 15 22:43:51NIMInterface 26 is Link Down 270InfoMay 15 22:43:51NIMevent(39),intf(26),component(2), on non-existent interface
Now, correct me if I`m wrong but my switch only has 24 ports and two of those (23 and 24) are dual personality jobbies!?Where the hell is port 26? Where did it come from? and why did it need to show up only for the switch to realise that it doesn`t really exist?
We’ve got lot of ASA appliances (around 30, 5505/5510/5520) and we never had this problem since the use of the new image software ASA 8.4(1) and ASDM 6.4(1). So, my problem is located on two ASA 5520 with active/passive failover with ASA image 8.4(1) and ASDM image 6.4(1).
My problem is that our appliance doesn’t show any logs when an ACL deny a packet, even if when I specify a specific “deny ACL” with a specific logging condition, asdm and ssh buffer logging are empty but the counters of the ACL increment.
I have linksys E4500 and I would like to be able to see the website visited vs ip address.Is there a way to enable same or achive same via parental controls.Again I do not want to block a website but monitor which websites are visited. Is this achievable via router or an additional software/hardware required to be used with router
I am facing a kind of weird problem!! My Sony Vaio was getting connected to my Home wifi network and I could access Internet without any problem. Its been few days now that I can't access Internet though it shows connected. It does connect with the Wifi without any issue and even show the full signal like before, but actually there's no internet access. No browsers (IE,Chrome,FF) load any webpage, no messengers work.
my router has all the lights on that it's always had. I use the wi fi for my iPhone,iPod, and laptop. On all of then I'm able to to search and find my connection and connect to it , but it's shows I'm connected with full signal but my internt just worn work . I can't connect to the internt on none of the devices, also if I connect the ethernet from my modem to my router then my routers ethernet to my pc my pc's internt won't work.
I have an issue on an ASA 5510 that I have noticed today, when I am using the log viewer all of the information recorded only shows the high end source and destination ports. For example
Source IP 10.10.4.69 Source Port 59886
Destination IP 8.8.8.8 Destination Port 59866
So what seems to be happening is that I am seeing only half of the connection in the log viewer, I see the side with the high end ports and not the side with the ports the application uses, this example was done with a ping. All my services are working correctly and the client sending the ping gets the response expected, it just seems I have lost the logging display?
Trying to create a wi fi zone in my apartment from my Virgin cable installation. Following their instructions on how to do this I can't succeed as the "view available Wireless networks" option does not appear on Windows XP
Have installed a TP-Link TL-WN722N wireless USB adapter.O/Sis Win XP SP3.Np options are showing for Wireless networks under Network Connections.Wireless Zero Conifguration is on.When I run a QSS app I can see neighbours network but not my own (My equipment doesn't support QSS) so the card and driver are working.
I volunteer at a school who just purchased two 48 port SGE2010 managed switches. I am not a big fan of the web gui and was hoping to see the standard Cisco command prompt instead of the menu-type interface.
Is there a way to view the MAC table showing which MAC address is plugged into which port on the switch? I have been fighting with the menu and the gui for a while now and do not see this anywhere.
I have 3 ACS servers placed throughout N. America. I it set up so that ACS01 is primary and ACS02 and ACS03 are secondary. When i look at the logs for passed/failed authentications in radius or tacacs I cannot see anything from ACS03 logging. This is weird because just a few weeks ago it worked perfectly. In fact, ACS03 is the most active server since this site is using it for wireless phones and tacacs and the other 2 are just using ACS for wireless networking. I went through the log settings and every server is set up the same as the others (except the primary) so it should be logging ACS03 the exact same as 01 and 02.Anyway it seems like a small problem but i need the logs to work correctly to properly administrate security.
We are running ACS 4.1 on Windows 2003 server. The disk filled completely up with years of log files. We have freed up space but now none of the services will start back up either automatically or manually.
Noticed tacacs authorization logs when you change password for a user ?? in authorization logs I can see the new password but same I can not see in accounting logs ? is it a normal behaviour ?? or do we need to do something to hide the password in authorization logs ?
For example if i type command username xyz priv 15 secret cisco 123
I see this command in accounting logs as uername xyz oriv 15 secret *** where as in tacacs authorization logs it shows username xyz priv 15 secret cisco 123
I have ACS 5.3.0.40 Primary Secondary Authenticators , of which the Scheduled backup has stopped.When checked the : Monitoring Configuration > System Operations > Data Management > Removal and Backup > Incremental Backup , it had changed to OFF mode. without any reason.Later i did the acs stop/start "view-jobmanager" and initiated the On-demand Full Backup , but no luck, same error reported this time too.
I have problem with ACS 5.0 on reporting. On "Monitoring and Report" page in Faverite Reports when i clicking on "Authentications - RADIUS - Today", My browser displays error "Error while reading skin-access.config. Please make sure the file exists and conforms to the schema specified"
I must also mention that I never upgraded the version of ACS from 5.0 also from command line all the acs services are running. It is running on CISCO 1120 Secure Access Controll Server apliance.
My second question is can I upgrade the version of ACS to 5.4 with Cisco Secure ACS 5 Base License?
I have saved the running configuration to startup first and rebooted the ACS 5.1. Since then it has stopped Authentication logs, though I can login to the network devices using Tacacs login, but I am not getting Tacacs authentication logs ?
Having an issue where a user will plug a PC into a switch. The switch does a MAB authenticaiton and the MAC is not located in the ACS server. It logs the failed attempt, but when the PC is removed from the switch, the failed attempts keep getting logged until the port is bounced. Any way to keep the attemps from happening after the PC is removed? If not, any way to make it stop without bouncing the port?
running ACS version 5.2.0.26
switch port config: interface GigabitEthernet1/0/2 sw access vlan 2 sw mode access authentication control-direction in authenticaion host-mode multi-auth authentication port-control auto mab spanning-tree portfast
Cisco ACS 5.2 secondary server is configured as a log collector for both primary and secondary server .Now i am facing problem in log collection from primary server .ACS secondary server is not collecting any logs from primary .
