Archive

Cisco ACS failed logins to corp wifi

Ghanayem1974
Path Finder

I am not sure how to capture the device info associated with the MAC address? for example, apple device\mac address. I also want to capture the type of failure, for example Invalid Password or Wrong Password. The calling station id is the mac address of the device in question but i don't know how to capture the name, i am not looking for the name of the AP or WLC. Thanks.
index=acs action=failure | stats count by user NetworkDeviceName "Calling_Station_ID" | rename "Calling_Station_ID" AS MAC | sort -count | where count > 100

Tags (1)
0 Karma

deepashri_123
Motivator

Hey@Ghanayem1974,

Can you share the sample format of the logs and what exactly you want to extract?

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!