1. Home
  2. Cisco Systems
  3. Logging wifi accesses

Logging wifi accesses

I have a 871W router with a wifi dot11 radio setup. It sIP address is

10.0.0.1

When a station connects, I get logs such as:

Mar 28 06:18:14 10.0.0.1 1417: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 0025.004d.4765 Reason: Previous authentication no longer valid SSID[VaxinationWiFi]

Mar 28 06:18:16 10.0.0.1 1418: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 0025.004d.4765 Associated SSID[VaxinationWiFi] AUTH_TYPE[EAP-LEAP] KEY_MGMT[WPAv2]

However, I would like to also log the actual authentication (which username is being used), especially invalid authentication attempts (hacker trying to get in for instance).

The router is setup with its own local radius server.

What sort of statement do I need to add to cause a syslog message to be issued for both proper and improper login attempts (either at the dot11 level, or at the radius level).

I have login on-success login on-failure

Those do cause syslog mkessages to be issued, but for actual logins to the router's CLI.

Any hints on what to look for would be appreciated.

Relevant bits (I think)

aaa new-model ! ! aaa group server radius my_aaa_group server-private 10.0.0.1 auth-port 1812 acct-port 1813 key mylongandsharedpassword ! aaa authentication login eap_list_name group my_aaa_group aaa authorization exec default local

dot11 syslog ! dot11 ssid MickeyMouse vlan 10 authentication open eap eap_list_name authentication network-eap eap_list_name authentication key-management wpa optional guest-mode

interface Dot11Radio0 no ip address ! encryption vlan 10 mode ciphers aes-ccm tkip wep128 ! broadcast-key vlan 10 change 600 ! ! ssid MickeyMouse ! speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0

36.0 48.0 54.0 station-role root world-mode dot11d country CA both ! interface Dot11Radio0.10 description MickeyMouse on VLAN 10 encapsulation dot1Q 10 bridge-group 10 bridge-group 10 subscriber-loop-control bridge-group 10 spanning-disabled bridge-group 10 block-unknown-source no bridge-group 10 source-learning no bridge-group 10 unicast-flooding

radius-server local nas 10.0.0.1 key 0 mylongandsharedpassword user clinton password lewinsky user obama password osama !

Reply to
JF Mezei
Loading thread data ...

Normally you would use AAA accounting for this; however the local RADIUS server doesn't support accounting.

We don't really have a good solution for this ... you could turn on radius debugs. (Of course, the debugs will go away on a reload ... you could stick "do debug ..." in your startup-config tho.)

Aaron

Reply to
Aaron Leonard

OK, so basically, I have to setup a real Radius server on a server to get the acounting data. Will this also give me the invalid login attempts ?

Reply to
JF Mezei

~ > Normally you would use AAA accounting for this; however the local ~ > RADIUS server doesn't support accounting. ~ ~ OK, so basically, I have to setup a real Radius server on a server to ~ get the acounting data.

This would also let you use PEAP clients (which are rather more prevalent than LEAP/EAP-FAST.)

~ Will this also give me the invalid login attempts ?

Yep!

Reply to
Aaron Leonard

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.