Logging wifi accesses

03-29-2010

I have a 871W router with a wifi dot11 radio setup. It sIP address is
10.0.0.1

When a station connects, I get logs such as:

Mar 28 06:18:14 10.0.0.1 1417: %DOT11-6-DISASSOC: Interface Dot11Radio0,
Deauthenticating Station 0025.004d.4765 Reason: Previous authentication
no longer valid SSID[VaxinationWiFi]

Mar 28 06:18:16 10.0.0.1 1418: %DOT11-6-ASSOC: Interface Dot11Radio0,
Station 0025.004d.4765 Associated SSID[VaxinationWiFi]
AUTH_TYPE[EAP-LEAP] KEY_MGMT[WPAv2]

However, I would like to also log the actual authentication (which
username is being used), especially invalid authentication attempts
(hacker trying to get in for instance).

The router is setup with its own local radius server.

What sort of statement do I need to add to cause a syslog message to be
issued for both proper and improper login attempts (either at the dot11
level, or at the radius level).

I have
login on-success
login on-failure

Those do cause syslog mkessages to be issued, but for actual logins to
the router's CLI.

Any hints on what to look for would be appreciated.

Relevant bits (I think)

aaa new-model
!
!
aaa group server radius my_aaa_group
server-private 10.0.0.1 auth-port 1812 acct-port 1813 key
mylongandsharedpassword
!
aaa authentication login eap_list_name group my_aaa_group
aaa authorization exec default local

dot11 syslog
!
dot11 ssid MickeyMouse
vlan 10
authentication open eap eap_list_name
authentication network-eap eap_list_name
authentication key-management wpa optional
guest-mode

interface Dot11Radio0
no ip address
!
encryption vlan 10 mode ciphers aes-ccm tkip wep128
!
broadcast-key vlan 10 change 600
!
!
ssid MickeyMouse
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0
36.0 48.0 54.0
station-role root
world-mode dot11d country CA both
!
interface Dot11Radio0.10
description MickeyMouse on VLAN 10
encapsulation dot1Q 10
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding

radius-server local
nas 10.0.0.1 key 0 mylongandsharedpassword
user clinton password lewinsky
user obama password osama
!

04-06-2010

Aaron Leonard wrote:
> Normally you would use AAA accounting for this; however the local
> RADIUS server doesn't support accounting.

OK, so basically, I have to setup a real Radius server on a server to
get the acounting data. Will this also give me the invalid login attempts ?

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Desktop accesses laptop and reads folders but Laptop only accesses/opens Desktop but cannot read folders, access is denied	onclejon	Wireless Networking	3	11-01-2006 10:50 PM
Multi accesses concurrently to a XML file	xuanqn09@gmail.com	Java	1	04-19-2006 11:34 AM
ASPX accesses to network file resources	A.M-SG	ASP .Net	4	11-02-2005 01:05 AM
Something accesses the hard disk every 2 sec (longish	Leachim Sredna	Computer Support	6	05-28-2004 02:24 AM
linux perl accesses ms-access db	Gary	Perl	0	11-21-2003 06:35 PM