On Wed, Feb 23, 2011 at 14:21, Alan Buxey <a.l.m.bu...@lboro.ac.uk> wrote: > Hi, > >> wouldn't the IP of the host it speaks of in the logs? or does it just say >> "failed log in from somewhere out on the network"…? >> >> my logs have a src… >> >> %SEC-6-IPACCESSLOGP: list denied tcp 88.243.16.148(3900) -> >> 10.142.7.1(23), 1 packet > > the device is on a legit bit of network so will be allowed by the > current VTY/management plane ACLs ... AAA system sees query from the switch > not from the originator of the login. its trivial i know that (which > is the frustrating part! :-) )
You can log the successful ACL attempts too, even though the login failed. This is provided the box is not too overly active with valid login attempts. access-list 80 permit 0.0.0.0 0.0.0.0 log line vty 0 4 access-class 80 in Then you get a log like so, indicating the ACL was passed, not necessarily that a login was completed: Aug 14 09:34:45.082 CDT: %SEC-6-IPACCESSLOGS: list 80 permitted x.x.x.x 2 packets HTH, Andy _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/