Cisco Systems OL-24201-01 manual Count of Unknown NAD Authentication Records, 12-27

Chapter 12 Managing Alarms

Creating, Editing, and Duplicating Alarm Thresholds

Table 12-20 RADIUS Sessions

Unknown NAD

When ACS evaluates this threshold, it examines the RADIUS or TACACS+ failed authentications that have occurred during the specified time interval up to the previous 24 hours. From these failed authentications, ACS identifies those with the failure reason Unknown NAD.

The unknown network access device (NAD) authentication records are grouped by a common attribute, such as ACS instance, user, and so on, and a count of the records within each of those groups is computed. If the count of records for any group exceeds the specified threshold, an alarm is triggered. This can happen if, for example, you configure a threshold as follows:

Unknown NAD count greater than 5 in the past 1 hour for a Device IP

If in the past hour, failed authentications with an unknown NAD failure reason have occurred for two different device IP addresses as shown in the following table, an alarm is triggered, because at least one device IP address has a count greater than 5.

You can specify one or more filters to limit the failed authentications that are considered for threshold evaluation. Each filter is associated with a particular attribute in the records and only those records that match the filter condition are counted. If you specify multiple filter values, only the records that match all the filter conditions are counted.

Choose this category to define threshold criteria based on authentications that have failed because of an unknown NAD. Modify the fields in the Criteria tab as described in Table 12-21.