Why are authentication failure traps sent to SPECTRUM without containing the IP of the device that caused the authentication failure? (Legacy KB ID CNC TS31802 )

Document ID : KB000051952
Last Modified Date : 14/02/2018
Show Technical Document Details
The reason for this is that the RFC that describes authentication does not define the source IP as being a requirement. 


As can be seen in RFC 1994:


Name

      The Name field is one or more octets representing the identification of the system transmitting the packet.  There are no limitations on the content of this field.  For example, it MAY contain ASCII character strings or globally unique identifiers in ASN.1 syntax.  The Name should not be NUL or CR/LF terminated.


Newer Cisco devices do provide the source IP because Cisco has built this functionality in to their firmware:


AuthenticationFailure Traps
The trap itself is not much help without the varbind authAddr that comes with the trap. The varbind is an additional MIB object that comes from the Old-Cisco-System MIB. The authAddr tells you the last SNMP authorization failure IP address. Here are both MIB definitions:


MIB Definition Number 1
This definition is from CISCOTRAP-MIB Definitions:


.1.3.6.1.2.1.11.0.4
authenticationFailure OBJECT-TYPE
-- FROM CISCOTRAP-MIB
TRAP
VARBINDS { authAddr }
DESCRIPTION "An authenticationFailure trap signifies that the sending protocol
entity is the addressee of a protocol message that is not properly authenticated.
While implementations of the SNMP must be capable of generating this trap, they
must also be capable of suppressing the emission of such traps via an implementation-
specific mechanism."
::= { iso(1) org(3) dod(6) internet(1) mgmt(2) mib-2(1) snmp(11) snmp#(0) 4}MIB Definition Number 2
This definition is from OLD-CISCO-SYSTEM-MIB Definitions:


.1.3.6.1.4.1.9.2.1.5
authAddr OBJECT-TYPE
-- FROM OLD-CISCO-SYSTEM-MIB
SYNTAX IpAddress
MAX-ACCESS read-only
STATUS Mandatory
DESCRIPTION "This variable contains the last SNMP
authorization failure IP address."
::= { ISO(1) org(3) DOD(6) Internet(1) private(4) enterprises(1) cisco(9) local(2)
  lsystem(1) 5 }


If you receive the authentication failure traps without the source IP and you need to know which device is causing the failures, network analysis needs to be done to see exactly where/what is causing the authentication failure traps. 


Keep in mind that the SpectroSERVER may just be the trap destination box and may be displaying the traps.  This does not mean that SPECTRUM is the source of the authentication failures.  You can enable a sniffer trace and take a look at the packets.  If there are unsolicited traps for authentication failures, then the SpectroSERVER is not the cause of the failures.

.

Related Issues/Questions:

Why are authentication failure traps sent to SPECTRUM without containing the IP of the device that caused the authentication failure?


Cisco traps show the IP of the offending device.
Authentication failure traps do not contain the source IP that is causing the issue.
SPECTRUM is showing authentication failures but it is not showing the source IP of the failure.

Problem Environment:
SPECTRUM 9.0 Core
SPECTRUM 8.1
SPECTRUM 8.0


(Legacy KB ID CNC TS31802 )