Cisco Systems OL-24201-01 Unknown NAD

12-27

User Guide for Cisco Secure Access Control System 5.3

OL-24201-01

Chapter 12 Managing Alarms

Creating, Editing, and Duplicating Alarm Thresholds

Unknown NAD

When ACS evaluates this threshold, it examines the RADIUS or TACACS+ failed authentications that

have occurred during the specified time interval up to the previous 24 hours. From these failed

authentications, ACS identifies those with the failure reason Unknown NAD.

The unknown network access device (NAD) authentication records are grouped by a common attribute,

such as ACS instance, user, and so on, and a count of the records within each of those groups is

computed. If the count of records for any group exceeds the specified threshold, an alarm is triggered.

This can happen if, for example, you configure a threshold as follows:

Unknown NAD count greater than 5 in the past 1 hour for a Device IP

If in the past hour, failed authentications with an unknown NAD failure reason have occurred for two

different device IP addresses as shown in the following table, an alarm is triggered, because at least one

device IP address has a count greater than 5.

You can specify one or more filters to limit the failed authentications that are considered for threshold

evaluation. Each filter is associated with a particular attribute in the records and only those records that

match the filter condition are counted. If you specify multiple filter values, only the records that match

all the filter conditions are counted.

Choose this category to define threshold criteria based on authentications that have failed because of an

unknown NAD. Modify the fields in the Criteria tab as described in Table 12-21.

Table 12-20 RADIUS Sessions

Option Description

More than num authenticated sessions in the past 15 minutes,

where accounting start event has not been received for a

Device IP

num—A count of authenticated sessions in the past 15

minutes.

Filter

ACS Instance Click Select to choose a valid ACS instance on which to

configure your threshold.

Device IP Click Select to choose or enter a valid device IP address on

which to configure your threshold.

Device IP Count of Unknown NAD Authentication Records

a.b.c.d 6

e.f.g.h 1