Wireless Access

Below I've copied two lines from our syslog messages file showing where our Wireless Controller (3600) reports that someone tried to connect to something and the username wasn't in the local database.

We see several of these every day for folks banging their head against the captive portal, and it doesn't concern us all that much.

In the last 10 days though, we've had 6000+ attempts on username admin. What should I look at to find out where these requests are coming from?

--Matthew

Nov 16 09:15:25 10.21.0.64 localdb[1615]: <133019> <ERRS> <000boiid-wc1 10.21.0.64>  User admin was not found in the database
Nov 16 09:15:25 10.21.0.64 localdb[1615]: <133006> <ERRS> <000boiid-wc1 10.21.0.64>  User admin Failed Authentication

show audit-trail

The audit-trail shows lots of successful logins from Airwave to the controller, but no unseccessful attempts.

The syslog events and the audit-trail are nearly opposites, as successes aren't getting logged.

How to see who tries and fails?

--Matthew

Management Authentication?

show log security 50

Nov 16 18:01:00 :125022:  <WARN> |aaa|  Authentication failed for User admin, Logged in from 192.168.1.67 port 64527, Connecting to 192.168.1.3 port 22 connection type SSH

All I get are the attempt and fail, with no detail telling who/what IP/etc is making the attempt:

Nov 16 14:14:08 :133019:  <ERRS> |localdb|  User admin was not found in the database
Nov 16 14:14:08 :133006:  <ERRS> |localdb|  User admin Failed Authentication
Nov 16 14:14:23 :133019:  <ERRS> |localdb|  User admin was not found in the database
Nov 16 14:14:23 :133006:  <ERRS> |localdb|  User admin Failed Authentication
Nov 16 14:14:38 :133019:  <ERRS> |localdb|  User admin was not found in the database
Nov 16 14:14:38 :133006:  <ERRS> |localdb|  User admin Failed Authentication
Nov 16 14:14:53 :133019:  <ERRS> |localdb|  User admin was not found in the database
Nov 16 14:14:53 :133006:  <ERRS> |localdb|  User admin Failed Authentication
Nov 16 14:15:08 :133019:  <ERRS> |localdb|  User admin was not found in the database
Nov 16 14:15:08 :133006:  <ERRS> |localdb|  User admin Failed Authentication
Nov 16 14:15:23 :133019:  <ERRS> |localdb|  User admin was not found in the database
Nov 16 14:15:23 :133006:  <ERRS> |localdb|  User admin Failed Authentication
Nov 16 14:15:38 :133019:  <ERRS> |localdb|  User admin was not found in the database
Nov 16 14:15:38 :133006:  <ERRS> |localdb|  User admin Failed Authentication

Hello,

I am facing a similar issue with different users showing "was not found in the database" and "Failed Authentication" on the localdb.

Did you have any luck or anyone can show how to get to the source of these authentication failures?

BR

you could try the following  command   "logging level debug security"  to debug and see if gives more info  when you execute" show log security 100" and if you have some sort idea what type of authentication is failing you can then go and do a more specific debugging under security 

don't know about your exact setup and im not sure with which code i have seen it, but i had this happening with client certificate authentication. the cn of the client certificate would be looked up on the internal database and this fails, authentication was succesful though.