Cisco login on-failure using syslog doesn't show username on failure?
Solution 1
This is a known bug: https://supportforums.cisco.com/thread/217502
I was able to reproduce it in my lab as well.
Solution 2
It has been known in the *nix and network community for a long time that logging usernames can sometimes divulge the password of an account.
For example: Someone types the username, and accidentally hits return twice. This will result in two login failures being logged, one for the username, and one for the password in the username field.
Related videos on Youtube
Jim
Updated on September 18, 2022Comments
-
Jim over 1 year
interesting issue I am running into. I am trying to get syslog rmeote logging working with a Cisco switch. i have it working and logging for both on-success and on-failure. However when it is a failed login attempt it does not show the user name that tried to log in in the logs?
Here is what the log looks like after a failed login:
%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ] [Source: 10.0. 0.6] [localport: 23] [Reason: Login Authentication Failed]
Here is what I ahve in the sh run:
login block-for 60 attempts 3 within 60 login delay 1 login on-failure log login on-success log archive log config logging enable notify syslog contenttype plaintext logging trap notifications logging facility local4 logging 10.0.0.8 aaa new-model aaa authentication login default local group tacacs+ aaa authorization config-commands aaa authorization exec default local group tacacs+
-
Jim over 11 yearsYes both tacas and local, see edits.
-
Jim over 11 yearsDoesn't show username in logs for either local or tacacs authentication.
-
jwbensley over 11 yearsWhat about console access? Also is this via ssh or telnet? Have you tried the other?
-
Jim over 11 yearsTelnet, no SSH on this firmware version. This is our current firmware bin c3750-ipbase-mz.122-50.SE5.bin
-
Mike Pennington over 11 yearsYou may want to flip the order of tacacs / local login... presumably that is a shared local username / password and if you don't make it a last resort login, it's likely to be abused when people want to hide their identity during changes.
-