3 Replies Latest reply on Nov 5, 2012 6:53 AM by asabban

    How to collect authentication attempts by the proxy logs.

    paulor1982

      Hello, I have a demand in the company where I work, and I need help.

       

      Often some users have your network password when trying to access a blocked wireless network company. This usually occurs because the user changed their password but the network on their mobile device was cached the old password.

       

      When I look in active directory to try to find what is the ip source that is blocking the user login, I have the following information that appears in the image below.

       

      telaproxyforum.JPG

       

      This log tells me that my user is blocked by a proxy server called but Overland does not tell me what is the ip of the source machine that is actually doing the blocking.

       

      I would like to develop a script on the proxy or find some setting that could collect logs attempts to access the proxy to let me know the ip source that is blocking the user.

       

      If you can help me thank.

       

      Message was edited by: paulor1982 on 10/30/12 1:41:25 PM CDT
        • 1. Re: How to collect authentication attempts by the proxy logs.
          asabban

          Hello,

           

          I am not sure if there is a better way to explicitly write a log entry when a user is locked out on MWG side, but we do have a property which is called "Authentication.FailureReason". You could create a rule which looks into it after authentication has been attempted. When the property is "0" everything went fine, if it is not there was an error.

           

          You could write a separate log file where you put a line with client IP and some additional information when authentication was not successful. Since you won´t get the user name (as authentication did not succeed) I think your best chance would be to take the timestamp from the output you posted and have a look at this timeperiod in your custom log. You will likely see a specific client IP making requests, which could help identifiying the machine causing the user to be locked out.

           

          Best,

          Andre

          • 2. Re: How to collect authentication attempts by the proxy logs.
            paulor1982

            Asabban Good morning, thank you for your help but I need some more information to create this rule.

             

            Are you saying that I have to create a rule with the option Authentication.FailureReason is equal 0?

             

            Then how do I create this event log?

             

            If you can spend a few details about it I am very grateful!

            • 3. Re: How to collect authentication attempts by the proxy logs.
              asabban

              Hello,

               

              it could look like this:

               

              Auswahl_179.png

               

              I placed this into my log handler. Everytime the FailureReason is NOT "0" ("0" indicates that authentication went fine) a line is written to a custom log. The line contains the client IP and date/time (of course you can modify the log as you like). In case you get notified that a user was locked out at a specific time period, try looking into the log and see if you can find a match.

               

              Best,

              Andre