Wireless Access

Reply
MVP
Posts: 724
Registered: ‎12-01-2010

authentication failures -- how can I track down the source?

Below I've copied two lines from our syslog messages file showing where our Wireless Controller (3600) reports that someone tried to connect to something and the username wasn't in the local database.

 

We see several of these every day for folks banging their head against the captive portal, and it doesn't concern us all that much.

 

In the last 10 days though, we've had 6000+ attempts on username admin. What should I look at to find out where these requests are coming from?

 

--Matthew

 

 

Nov 16 09:15:25 10.21.0.64 localdb[1615]: <133019> <ERRS> <000boiid-wc1 10.21.0.64>  User admin was not found in the database
Nov 16 09:15:25 10.21.0.64 localdb[1615]: <133006> <ERRS> <000boiid-wc1 10.21.0.64>  User admin Failed Authentication

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Guru Elite
Posts: 21,280
Registered: ‎03-29-2007

Re: authentication failures -- how can I track down the source?

show audit-trail

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 724
Registered: ‎12-01-2010

Re: authentication failures -- how can I track down the source?

The audit-trail shows lots of successful logins from Airwave to the controller, but no unseccessful attempts.

The syslog events and the audit-trail are nearly opposites, as successes aren't getting logged.

 

How to see who tries and fails?

 

--Matthew

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Guru Elite
Posts: 21,280
Registered: ‎03-29-2007

Re: authentication failures -- how can I track down the source?

Management Authentication?

 

show log security 50

 

Nov 16 18:01:00 :125022:  <WARN> |aaa|  Authentication failed for User admin, Logged in from 192.168.1.67 port 64527, Connecting to 192.168.1.3 port 22 connection type SSH

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 724
Registered: ‎12-01-2010

Re: authentication failures -- how can I track down the source?

All I get are the attempt and fail, with no detail telling who/what IP/etc is making the attempt:

 

Nov 16 14:14:08 :133019:  <ERRS> |localdb|  User admin was not found in the database
Nov 16 14:14:08 :133006:  <ERRS> |localdb|  User admin Failed Authentication
Nov 16 14:14:23 :133019:  <ERRS> |localdb|  User admin was not found in the database
Nov 16 14:14:23 :133006:  <ERRS> |localdb|  User admin Failed Authentication
Nov 16 14:14:38 :133019:  <ERRS> |localdb|  User admin was not found in the database
Nov 16 14:14:38 :133006:  <ERRS> |localdb|  User admin Failed Authentication
Nov 16 14:14:53 :133019:  <ERRS> |localdb|  User admin was not found in the database
Nov 16 14:14:53 :133006:  <ERRS> |localdb|  User admin Failed Authentication
Nov 16 14:15:08 :133019:  <ERRS> |localdb|  User admin was not found in the database
Nov 16 14:15:08 :133006:  <ERRS> |localdb|  User admin Failed Authentication
Nov 16 14:15:23 :133019:  <ERRS> |localdb|  User admin was not found in the database
Nov 16 14:15:23 :133006:  <ERRS> |localdb|  User admin Failed Authentication
Nov 16 14:15:38 :133019:  <ERRS> |localdb|  User admin was not found in the database
Nov 16 14:15:38 :133006:  <ERRS> |localdb|  User admin Failed Authentication

 

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
DSP
Contributor II
Posts: 37
Registered: ‎03-25-2013

Re: authentication failures -- how can I track down the source?

 

Hello,

 

I am facing a similar issue with different users showing "was not found in the database" and "Failed Authentication" on the localdb.

 

Did you have any luck or anyone can show how to get to the source of these authentication failures?

 

BR

MVP
Posts: 4,301
Registered: ‎07-20-2011

Re: authentication failures -- how can I track down the source?

you could try the following  command   "logging level debug security"  to debug and see if gives more info  when you execute" show log security 100" and if you have some sort idea what type of authentication is failing you can then go and do a more specific debugging under security 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
MVP
Posts: 1,414
Registered: ‎11-30-2011

Re: authentication failures -- how can I track down the source?

don't know about your exact setup and im not sure with which code i have seen it, but i had this happening with client certificate authentication. the cn of the client certificate would be looked up on the internal database and this fails, authentication was succesful though.

Search Airheads
Showing results for 
Search instead for 
Did you mean: