Cisco AAA/Identity/Nac :: ACS 5.2 Logs Are Not Showing MAC Address?
May 10, 2012
We recently had to rebuild our ACS server. Now when we have an 802.1x authentication failure and look at the RADIUS logs for the specific user, it does not show us the MAC address of the device the user tried to login with. We use this all the time because users have PDAs and other mobile devices that they save their passwords on. Then when they change their domain password on their laptop, they don't change it on their PDA which then tries to authenticate them using the wrong password and eventually locks them out. We need to see the MAC address so we can pinpoint which device is causing the lockout. The report I am generating is when you go to this location: Monitoring & Reports > ... > Reports > Catalog > User > User_Authentication_Summary
View 4 Replies
ADVERTISEMENT
May 18, 2011
I am having trouble viewing all the Administration logs in ACS View. I have my Local Log Target set to a Maximum log retention period of 90 days. In ACS View I can display authentications that go back 90 days + However when I try and display the "ACS_Configuration_Audit" in View and perform a Custom query that goes back 90 days it will only display about 35 days of Admin logs.I know the logs are there because when I go into CLI and do a search like "show logging | i "ObjectType=Administrator Account" the Administration logs go back over a year.why ACS View cannot display all the Admin logs?The ACS is running v5.1.0.44 Patch 6 (Also experiencing this in a v5.2 ACS as well)
View 2 Replies
View Related
Sep 13, 2012
I've noticed in the mornings lately when I get up around 6 am my internet will not work. Not on wireless or on my desktop. I decided I'd log into the router to see if there was a firmware update or anything. I had checked the logs and there are quite a few entries relating to DoS. I googled around and saw that it could be some sort of packet loss and the router is mistaking it for some sort of DoS attack. And that due to it not showing up multiple times every second it likely isn't a DoS attack. Here is a few from the logs:
[code].....
View 4 Replies
View Related
Feb 27, 2011
We’ve got lot of ASA appliances (around 30, 5505/5510/5520) and we never had this problem since the use of the new image software ASA 8.4(1) and ASDM 6.4(1). So, my problem is located on two ASA 5520 with active/passive failover with ASA image 8.4(1) and ASDM image 6.4(1).
My problem is that our appliance doesn’t show any logs when an ACL deny a packet, even if when I specify a specific “deny ACL” with a specific logging condition, asdm and ssh buffer logging are empty but the counters of the ACL increment.
View 6 Replies
View Related
May 16, 2011
OK, so just mooching around in the pages of my switch, a 24 port switch and it has in the logs:
268InfoMay 15 22:43:51NIMInterface 26 is Link Down
269InfoMay 15 22:43:51NIMInterface 26 is Link Down
270InfoMay 15 22:43:51NIMevent(39),intf(26),component(2), on non-existent interface
Now, correct me if I`m wrong but my switch only has 24 ports and two of those (23 and 24) are dual personality jobbies!?Where the hell is port 26? Where did it come from? and why did it need to show up only for the switch to realise that it doesn`t really exist?
View 2 Replies
View Related
Oct 17, 2012
I have an issue on an ASA 5510 that I have noticed today, when I am using the log viewer all of the information recorded only shows the high end source and destination ports. For example
Source IP 10.10.4.69
Source Port 59886
Destination IP 8.8.8.8
Destination Port 59866
So what seems to be happening is that I am seeing only half of the connection in the log viewer, I see the side with the high end ports and not the side with the ports the application uses, this example was done with a ping. All my services are working correctly and the client sending the ping gets the response expected, it just seems I have lost the logging display?
View 4 Replies
View Related
Oct 16, 2012
We have a stack of 4 Cisco WS-3750G-24TS with Sw Version 12.2(52) SE and giving weird errors:-
-Traceback= 17211C8 16FA4C0 16FA4FC 18625E4 18608D4 286A850 283E6FC 282EDF4 2859BBC 1B2EDA8 1B25878
Oct 17 22:26:48 AEDT: %SNMP-3-CPUHOG: Processing GetBulk of lldpRemEntry.7
Oct 17 22:26:50 AEDT: %SYS-3-CPUHOG: Task is running for (2098)msecs, more than (2000)msecs (8/6),process = SNMP ENGINE.
-Traceback= 172108C 17211CC 16FA4C0 16FA4FC 18625E4 18608D4 286A850 283E6FC 282EDF4 2859BBC 1B2EDA8 1B25878
Oct 17 22:26:51 AEDT: %SNMP-3-CPUHOG: Processing GetBulk of lldpRemEntry.7
Oct 17 22:26:53 AEDT: %SNMP-3-CPUHOG: Processing GetBulk of lldpRemEntry.6
Oct 17 22:26:53 AEDT: %SYS-3-CPUHOG: Task is running for (2097)msecs, more than (2000)msecs (1/1),process = SNMP ENGINE.
What are these errors is this a bug in the IOS
View 1 Replies
View Related
Oct 31, 2012
I have linksys E4500 and I would like to be able to see the website visited vs ip address.Is there a way to enable same or achive same via parental controls.Again I do not want to block a website but monitor which websites are visited. Is this achievable via router or an additional software/hardware required to be used with router
View 5 Replies
View Related
Sep 6, 2011
I have 3 ACS servers placed throughout N. America. I it set up so that ACS01 is primary and ACS02 and ACS03 are secondary. When i look at the logs for passed/failed authentications in radius or tacacs I cannot see anything from ACS03 logging. This is weird because just a few weeks ago it worked perfectly. In fact, ACS03 is the most active server since this site is using it for wireless phones and tacacs and the other 2 are just using ACS for wireless networking. I went through the log settings and every server is set up the same as the others (except the primary) so it should be logging ACS03 the exact same as 01 and 02.Anyway it seems like a small problem but i need the logs to work correctly to properly administrate security.
View 1 Replies
View Related
Jan 15, 2012
Noticed tacacs authorization logs when you change password for a user ?? in authorization logs I can see the new password but same I can not see in accounting logs ? is it a normal behaviour ?? or do we need to do something to hide the password in authorization logs ?
For example if i type command username xyz priv 15 secret cisco 123
I see this command in accounting logs as uername xyz oriv 15 secret *** where as in tacacs authorization logs it shows username xyz priv 15 secret cisco 123
View 1 Replies
View Related
Mar 23, 2012
I have cisco ACS 4.2 (1) build 15 working fine, but it can save historic logs for Passed Authentications, Failed attempts. etc.
View 1 Replies
View Related
Mar 6, 2013
I have problem with ACS 5.0 on reporting. On "Monitoring and Report" page in Faverite Reports when i clicking on "Authentications - RADIUS - Today", My browser displays error "Error while reading skin-access.config. Please make sure the file exists and conforms to the schema specified"
I must also mention that I never upgraded the version of ACS from 5.0 also from command line all the acs services are running. It is running on CISCO 1120 Secure Access Controll Server apliance.
My second question is can I upgrade the version of ACS to 5.4 with Cisco Secure ACS 5 Base License?
View 4 Replies
View Related
Dec 28, 2011
I have saved the running configuration to startup first and rebooted the ACS 5.1. Since then it has stopped Authentication logs, though I can login to the network devices using Tacacs login, but I am not getting Tacacs authentication logs ?
View 3 Replies
View Related
Jan 8, 2013
Having an issue where a user will plug a PC into a switch. The switch does a MAB authenticaiton and the MAC is not located in the ACS server. It logs the failed attempt, but when the PC is removed from the switch, the failed attempts keep getting logged until the port is bounced. Any way to keep the attemps from happening after the PC is removed? If not, any way to make it stop without bouncing the port?
running ACS version 5.2.0.26
switch port config:
interface GigabitEthernet1/0/2
sw access vlan 2 sw mode access
authentication control-direction in
authenticaion host-mode multi-auth
authentication port-control auto
mab
spanning-tree portfast
View 2 Replies
View Related
Aug 3, 2011
Why my asa5520 brings out:
sh curpriv
Username : enable_15
Current privilege level : 15
Current Mode/s : P_PRIV
while i am logging in with my username which is XXXX. And in my ACS accounting logs I cannot see which user did what.
View 2 Replies
View Related
Jul 18, 2011
I have some queries regarding on the report generation for on Cisco ACS v5.2.
1) Can we schedule to run a customized report on ACS and then email the report to the user?
2) Can we run a users authentication trend report based on the AD directory group rather than individual user.
3) Can we configure user authentication logs to be viewed on WCS.
View 6 Replies
View Related
Apr 24, 2013
I am using CiscoSecure ACS v4.2 appliance, in there any way that RADIUS logs upload to FTP server because it has limitation to store RADIUS logs.
View 15 Replies
View Related
Nov 2, 2011
Cisco ACS 5.2 secondary server is configured as a log collector for both primary and secondary server .Now i am facing problem in log collection from primary server .ACS secondary server is not collecting any logs from primary .
View 2 Replies
View Related
Mar 28, 2013
I'm using ACS 5.4p2 within distributed systems: one primary and one secondary instance.For now, primary instance is acting as Log Collector server and I can see any AAA audit logs.
When the primary instance fails I can authenticate successfully using the secondary instance.However, when primary instance comes back, I'm not able to see any audit logs operated by secondary.
View 9 Replies
View Related
Apr 11, 2012
We are currently using Cisco ACS 5.3.0.40.2. One of the Services Selection Policy it hosts is:
Receive Authentication request from a wireless controller for a wireless userIf the wireless user's username contains a particular domain suffix, the request is proxied to an external proxy server using an External Proxy service (configured for both local/remote accounting)On receiving an Acccess-Accept from the external proxy, the user is given access and ACS 5 will start logging account packets for the username (nothing appears in the RADIUS authentication logs - ACS 5 it seems doesn't log proxied authentication requests) The above setup works fine in most instances. We start to have problems when an external proxy server strips the domain suffix off the username in the Access-Accept packet e.g.
ACS 5 proxies an Access-Request to an external proxy server (with Username = someuser@somwhere.com)The external proxy replies with an Access-Accept (with Username = someuser)The user 'someuser' is given access but subsequent accounting attempts fail because their username (without the domain suffix) doesn't match the Service Selection PolicyIs there any way to get ACS 5.3 to log proxied authentication requests? If not, can I configure ACS 5.3 to use the username in the Access-Request packet (rather than the username in the Access-Accept packet) for accounting?
View 2 Replies
View Related
Oct 5, 2011
How to delete the accounting/authorization Reports or logs ?
View 2 Replies
View Related
May 2, 2013
ACS 4.2 and remote agent was working properly two months before. But in past two months we are facing weird issue in RA server.For Somedays we are missing logs from both ACS and RA server. Once we notice this we use to restart the services in ACS to give workaround. But due to this we loose our daily logs intermittently and facing risk in without having logs.This is not like communication between ACS and RA is not at all happening. It happens properly for a week or month, but again it is going bad without any config change. CSAgent.ini file is properly configured.Full version is 4.2.1.15 and patch is 10 in acs and ra.ACS and Remote Agent Major and Patch version are same.
View 5 Replies
View Related
Dec 2, 2011
How i can transfer the router logs to email address.Wev are using the router 2600.
View 5 Replies
View Related
Nov 10, 2011
I have a cable modem internet connection and my cable modem is connected to an ASA 5505. The inside interface of the ASA has an IP address of 192.168.2.2 and is connected to a Linksys router's internet port which has an IP address of 192.168.2.1. The Linksys router then has a local area network of 192.168.1.0 and all my clients are on that network. Everything is working fine except in my ASA logs all the traffic shows up as the router's external address which is 192.168.2.1. I would like to see the 192.168.1.x address of the clients in the ASA firewall. I've tried making some changes to the Linksys router but that hasn't resolved it. Is there any changes I can make on the ASA to get this to work?
View 6 Replies
View Related
Nov 11, 2012
I have just renewed the self signed certificate on a v5.2 ACS and expiry date of 2013 is showing in the ACS GUI. However, when I start an ACS Admin session and view the certificate information in the browser it is showing the old expiry date of 2010. I have tried this in IE and Firefox and the certificate information is the same.
Is there a way I can get the browser to pick the new certificate ?
View 1 Replies
View Related
Jul 7, 2011
i am trying to connect(internet) my laptop but its is not connecting through WIFI.diffrent ip addresss is showing on a laptop but my ip address is not showing and it is not connecting.
View 1 Replies
View Related
Jun 20, 2012
I have an ACS Server 5.1 which is used to authenticate my cisco and non-cisco devices. however when I take report on my authentications, the time shown in the report is wrong. However, when I take my mouse pointer to the report , the correct time is highlighted.
View 4 Replies
View Related
Sep 29, 2011
I have added all of the devices to DCR and they show up with their hostname value in all of the device trees except for the fault manager views. In all of the fault manager views the hostname is not being used for the Devie Name field, rather the IP address is being used.
View 6 Replies
View Related
Aug 8, 2012
When a tacacs user is changing the local password on the router (for local user), the acs 5.3 is showing the new password in clear text in authorization reports/logs.
This behaviour is seen on acs 5.x, whereas acs 4.2 is showing encrypted password in the reports.
I have checked debugs on Router and it is sending password in clear text in Tacacs Authorization packet but encrypted password in Tacacs Accounting logs.
Debug tacacs accounting
debug aaa accounting
4w3d: TPLUS: Received accounting response with status PASS
[Code]....
View 8 Replies
View Related
Apr 8, 2013
we have 6500 cisco switch as a backbone switch in universty. When ı want to look mac addres table , it does no show all mac address.ı mean if ı type ;show mac address-table there are not all mac address.
View 3 Replies
View Related
Apr 11, 2011
why I would be getting traffic on my outside interface that has a destination address which is not my assigned outside address? I recently set up my ASA 5505 on the network and gave it an available outside address of say 192.x.x.250 on interface vlan 100. When I assign vlan 100 to e0/0 and bring the port up, I start seeing lots of traffic pour into the ASDM Syslog with various destinations belonging to my subnet but that are not actually destined for my specific outside address of 192.x.x.250.They are showing a destination of say 192.x.x.85 or 192.x.x.29.
View 3 Replies
View Related
Apr 23, 2012
I always though that sh mac address table dynamic interface xx/xx/xx was a subset of "sh mac address table" 6590 Version 12.2(33)SXI I have two mac addresses on downstream switches that will only show up when using
sh mac address-table dynamic interface Te4/10
* 903 0050.77a9.6e3c dynamic Yes 0 Te4/10
* 903 0050.77a9.5766 dynamic Yes 0 Te4/10
when using "old faithful"
sh mac address-table | inc 6e3c
*nothing*
or
sh mac address-table dynamic | inc 6e3c
*nothing*
nothing shows up?this vlan has no layer three interfaces
View 1 Replies
View Related
Jul 31, 2011
I volunteer at a school who just purchased two 48 port SGE2010 managed switches. I am not a big fan of the web gui and was hoping to see the standard Cisco command prompt instead of the menu-type interface.
Is there a way to view the MAC table showing which MAC address is plugged into which port on the switch? I have been fighting with the menu and the gui for a while now and do not see this anywhere.
View 5 Replies
View Related
