Authentication Logs

Synopsis

netapi ise mnt auth-logs <MAC> [OPTIONS]
netapi ise mnt failed [OPTIONS]

Description

Retrieve authentication logs for troubleshooting. Two commands:

  • auth-logs - Get auth history for a specific MAC address

  • failed - Get all failed authentication attempts

Commands

auth-logs (per MAC)

Get authentication logs for a specific endpoint.

# Last 24 hours (default)
netapi ise mnt auth-logs 70:15:FB:F8:47:EC

# Last 48 hours, more records
netapi ise mnt auth-logs 70:15:FB:F8:47:EC --hours 48 --limit 20

# Last week
netapi ise mnt auth-logs 70:15:FB:F8:47:EC --hours 168
Option Description Default

--hours, -h

Hours to look back

24

--limit, -l

Max records to return

10

failed (all endpoints)

Get all failed authentication attempts across all endpoints.

# Last 24 hours (default)
netapi ise mnt failed

# Last 4 hours, limit 50
netapi ise mnt failed --hours 4 --limit 50

# Full day with more results
netapi ise mnt failed --hours 24 --limit 200
Option Description Default

--hours, -h

Hours to look back

24

--limit, -l

Max records to return

100

Use Cases

Troubleshoot Endpoint Not Connecting

#!/bin/bash
MAC="$1"

echo "=== Current Session ==="
netapi ise mnt session "$MAC"

echo ""
echo "=== Auth History (48h) ==="
netapi ise mnt auth-logs "$MAC" --hours 48

echo ""
echo "=== Auth Status ==="
netapi ise mnt auth-status "$MAC"

Morning Failed Auth Report

#!/bin/bash
# Check overnight failures
echo "Failed authentications in last 8 hours:"
netapi ise mnt failed --hours 8 --limit 100

Find RADIUS Spray Attacks

#!/bin/bash
# High volume of failures might indicate attack
echo "Checking for unusual failure patterns..."
netapi ise mnt failed --hours 1 --limit 500

# Check rejected endpoints
netapi ise get-rejected-endpoints

Related Commands