Well, if you're using RADIUS to authenticate against AD, then probably all the requests are going to the DC unless you've got some local users on the ASA. Do you see corresponding failure entries in the Security and IAS logs? You might be able to get a lot from the IAS log, including ip information.
From: David W. McSpadden [mailto:[email protected]] Sent: Thursday, May 28, 2009 8:22 AM To: NT System Admin Issues Subject: Re: CISCO ASA message? Yes I do. I think it is a valid denial but I just started seeing them two days ago. About 6500 of them all different users. Just wondering how they are getting past the ASA to the DC... ----- Original Message ----- From: Richard Stovall <mailto:[email protected]> To: NT System Admin Issues <mailto:[email protected]> Sent: Thursday, May 28, 2009 8:14 AM Subject: RE: CISCO ASA message? Do you have any service using RADIUS? Is IAS installed on the DC? This could be a legit denial of an unauthorized connection attempt. From: David W. McSpadden [mailto:[email protected]] Sent: Thursday, May 28, 2009 8:11 AM To: NT System Admin Issues Subject: CISCO ASA message? Anyone have a CISCO ASA? I am getting this in the syslogs from it: AAA user authentication Rejected : reason = AAA failure : server = 10.0.50.205 : user = user How can I tell where this is being originated? 10.0.50.205 is my DC and there is no user called user? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
