Logging wifi accesses
in [Cisco]
|
From: JF Mezei on 29 Mar 2010 06:45 I have a 871W router with a wifi dot11 radio setup. It sIP address is 10.0.0.1 When a station connects, I get logs such as: Mar 28 06:18:14 10.0.0.1 1417: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 0025.004d.4765 Reason: Previous authentication no longer valid SSID[VaxinationWiFi] Mar 28 06:18:16 10.0.0.1 1418: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 0025.004d.4765 Associated SSID[VaxinationWiFi] AUTH_TYPE[EAP-LEAP] KEY_MGMT[WPAv2] However, I would like to also log the actual authentication (which username is being used), especially invalid authentication attempts (hacker trying to get in for instance). The router is setup with its own local radius server. What sort of statement do I need to add to cause a syslog message to be issued for both proper and improper login attempts (either at the dot11 level, or at the radius level). I have login on-success login on-failure Those do cause syslog mkessages to be issued, but for actual logins to the router's CLI. Any hints on what to look for would be appreciated. Relevant bits (I think) aaa new-model ! ! aaa group server radius my_aaa_group server-private 10.0.0.1 auth-port 1812 acct-port 1813 key mylongandsharedpassword ! aaa authentication login eap_list_name group my_aaa_group aaa authorization exec default local dot11 syslog ! dot11 ssid MickeyMouse vlan 10 authentication open eap eap_list_name authentication network-eap eap_list_name authentication key-management wpa optional guest-mode interface Dot11Radio0 no ip address ! encryption vlan 10 mode ciphers aes-ccm tkip wep128 ! broadcast-key vlan 10 change 600 ! ! ssid MickeyMouse ! speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 station-role root world-mode dot11d country CA both ! interface Dot11Radio0.10 description MickeyMouse on VLAN 10 encapsulation dot1Q 10 bridge-group 10 bridge-group 10 subscriber-loop-control bridge-group 10 spanning-disabled bridge-group 10 block-unknown-source no bridge-group 10 source-learning no bridge-group 10 unicast-flooding radius-server local nas 10.0.0.1 key 0 mylongandsharedpassword user clinton password lewinsky user obama password osama !
From: Aaron Leonard on 1 Apr 2010 17:39 Normally you would use AAA accounting for this; however the local RADIUS server doesn't support accounting. We don't really have a good solution for this ... you could turn on radius debugs. (Of course, the debugs will go away on a reload ... you could stick "do debug ..." in your startup-config tho.) Aaron ---- ~ I have a 871W router with a wifi dot11 radio setup. It sIP address is ~ 10.0.0.1 ~ ~ When a station connects, I get logs such as: ~ ~ Mar 28 06:18:14 10.0.0.1 1417: %DOT11-6-DISASSOC: Interface Dot11Radio0, ~ Deauthenticating Station 0025.004d.4765 Reason: Previous authentication ~ no longer valid SSID[VaxinationWiFi] ~ ~ Mar 28 06:18:16 10.0.0.1 1418: %DOT11-6-ASSOC: Interface Dot11Radio0, ~ Station 0025.004d.4765 Associated SSID[VaxinationWiFi] ~ AUTH_TYPE[EAP-LEAP] KEY_MGMT[WPAv2] ~ ~ ~ However, I would like to also log the actual authentication (which ~ username is being used), especially invalid authentication attempts ~ (hacker trying to get in for instance). ~ ~ The router is setup with its own local radius server. ~ ~ What sort of statement do I need to add to cause a syslog message to be ~ issued for both proper and improper login attempts (either at the dot11 ~ level, or at the radius level). ~ ~ I have ~ login on-success ~ login on-failure ~ ~ Those do cause syslog mkessages to be issued, but for actual logins to ~ the router's CLI. ~ ~ ~ Any hints on what to look for would be appreciated. ~ ~ ~ ~ Relevant bits (I think) ~ ~ aaa new-model ~ ! ~ ! ~ aaa group server radius my_aaa_group ~ server-private 10.0.0.1 auth-port 1812 acct-port 1813 key ~ mylongandsharedpassword ~ ! ~ aaa authentication login eap_list_name group my_aaa_group ~ aaa authorization exec default local ~ ~ dot11 syslog ~ ! ~ dot11 ssid MickeyMouse ~ vlan 10 ~ authentication open eap eap_list_name ~ authentication network-eap eap_list_name ~ authentication key-management wpa optional ~ guest-mode ~ ~ interface Dot11Radio0 ~ no ip address ~ ! ~ encryption vlan 10 mode ciphers aes-ccm tkip wep128 ~ ! ~ broadcast-key vlan 10 change 600 ~ ! ~ ! ~ ssid MickeyMouse ~ ! ~ speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 ~ 36.0 48.0 54.0 ~ station-role root ~ world-mode dot11d country CA both ~ ! ~ interface Dot11Radio0.10 ~ description MickeyMouse on VLAN 10 ~ encapsulation dot1Q 10 ~ bridge-group 10 ~ bridge-group 10 subscriber-loop-control ~ bridge-group 10 spanning-disabled ~ bridge-group 10 block-unknown-source ~ no bridge-group 10 source-learning ~ no bridge-group 10 unicast-flooding ~ ~ radius-server local ~ nas 10.0.0.1 key 0 mylongandsharedpassword ~ user clinton password lewinsky ~ user obama password osama ~ !
From: JF Mezei on 5 Apr 2010 22:46 Aaron Leonard wrote: > Normally you would use AAA accounting for this; however the local > RADIUS server doesn't support accounting. OK, so basically, I have to setup a real Radius server on a server to get the acounting data. Will this also give me the invalid login attempts ?
From: Aaron Leonard on 7 Apr 2010 12:45 ~ > Normally you would use AAA accounting for this; however the local ~ > RADIUS server doesn't support accounting. ~ ~ OK, so basically, I have to setup a real Radius server on a server to ~ get the acounting data. This would also let you use PEAP clients (which are rather more prevalent than LEAP/EAP-FAST.) ~ Will this also give me the invalid login attempts ? Yep!
|
Pages: 1 Prev: PIX ASA : Need to setup a server in a DMZ such that Next: PIX act as VPN client |