Chapter 12 Managing Alarms

Creating, Editing, and Duplicating Alarm Thresholds

Table 12-10

Passed Authentications (continued)

 

 

 

Option

 

Description

 

 

 

Device Group

 

Click Select to choose a valid device group name on which to configure your threshold.

 

 

 

Identity Store

 

Click Select to choose a valid identity store name on which to configure your threshold.

 

 

 

Access Service

 

Click Select to choose a valid access service name on which to configure your threshold.

 

 

 

MAC Address

 

Click Select to choose or enter a valid MAC address on which to configure your threshold. This filter is

 

 

available only for RADIUS authentications.

 

 

 

NAD Port

 

Click Select to choose a port for the network device on which to configure your threshold. This filter is

 

 

available only for RADIUS authentications.

 

 

 

AuthZ Profile

 

Click Select to choose an authorization profile on which to configure your threshold. This filter is

 

 

available only for RADIUS authentications.

 

 

 

AuthN Method

 

Click Select to choose an authentication method on which to configure your threshold. This filter is

 

 

available only for RADIUS authentications.

 

 

 

EAP AuthN

 

Click Select to choose an EAP authentication value on which to configure your threshold. This filter is

 

 

available only for RADIUS authentications.

 

 

 

EAP Tunnel

 

Click Select to choose an EAP tunnel value on which to configure your threshold. This filter is available

 

 

only for RADIUS authentications.

 

 

 

Protocol

 

Use the drop-down list box to configure the protocol that you want to use for your threshold. Valid options

 

 

are:

 

 

 

RADIUS

 

 

TACACS+

 

 

 

 

Related Topics

Creating, Editing, and Duplicating Alarm Thresholds, page 12-11

Configuring General Threshold Information, page 12-13

Configuring Threshold Notifications, page 12-32

Failed Authentications

When ACS evaluates this threshold, it examines the RADIUS or TACACS+ failed authentications that occurred during the time interval that you have specified up to the previous 24 hours. These authentication records are grouped by a common attribute, such as ACS Instance, User, Identity Group, and so on.

The number of records within each of these groups is computed. If the count computed for any of these groups exceeds the specified threshold, an alarm is triggered.

For example, if you configure a threshold with the following criteria: Failed authentications greater than 10 in the past 2 hours for Device IP. When ACS evaluates this threshold, if failed authentications have occurred for four IP addresses in the past two hours as follows:

Device IP

a.b.c.d

e.f.g.h

Failed Authentication Count

13

8

 

User Guide for Cisco Secure Access Control System 5.3

12-16

OL-24201-01

Page 343 Page 345
Page 344
Image 344
Cisco Systems OL-24201-01 manual Failed Authentications, Device IP, Failed Authentication Count, 12-16
Page 343 Page 345
Top Page Image Contents