Why are authentication failure traps sent to SPECTRUM without containing the IP of the device that caused the authentication failure?

book

Article ID: 51952

calendar_today

Updated On:

Products

CA Spectrum

Issue/Introduction

Why are authentication failure traps sent to SPECTRUM without containing the IP of the device that caused the authentication failure?

Environment

Release: Any
Component:

Resolution

The reason for this is that the RFC that describes authentication does not define the source IP as being a requirement. 

 

As can be seen in RFC 1994:


Name

      The Name field is one or more octets representing the identification of the system transmitting the packet.  There are no limitations on the content of this field.  For example, it MAY contain ASCII character strings or globally unique identifiers in ASN.1 syntax.  The Name should not be NUL or CR/LF terminated.


Newer Cisco devices do provide the source IP because Cisco has built this functionality in to their firmware:


AuthenticationFailure Traps
The trap itself is not much help without the varbind authAddr that comes with the trap. The varbind is an additional MIB object that comes from the Old-Cisco-System MIB. The authAddr tells you the last SNMP authorization failure IP address. Here are both MIB definitions:


MIB Definition Number 1
This definition is from CISCOTRAP-MIB Definitions:


.1.3.6.1.2.1.11.0.4
authenticationFailure OBJECT-TYPE
-- FROM CISCOTRAP-MIB
TRAP
VARBINDS { authAddr }
DESCRIPTION "An authenticationFailure trap signifies that the sending protocol
entity is the addressee of a protocol message that is not properly authenticated.
While implementations of the SNMP must be capable of generating this trap, they
must also be capable of suppressing the emission of such traps via an implementation-
specific mechanism."
::= { iso(1) org(3) dod(6) internet(1) mgmt(2) mib-2(1) snmp(11) snmp#(0) 4}MIB Definition Number 2
This definition is from OLD-CISCO-SYSTEM-MIB Definitions:


.1.3.6.1.4.1.9.2.1.5
authAddr OBJECT-TYPE
-- FROM OLD-CISCO-SYSTEM-MIB
SYNTAX IpAddress
MAX-ACCESS read-only
STATUS Mandatory
DESCRIPTION "This variable contains the last SNMP
authorization failure IP address."
::= { ISO(1) org(3) DOD(6) Internet(1) private(4) enterprises(1) cisco(9) local(2)
  lsystem(1) 5 }


If you receive the authentication failure traps without the source IP and you need to know which device is causing the failures, network analysis needs to be done to see exactly where/what is causing the authentication failure traps. 


Keep in mind that the SpectroSERVER may just be the trap destination box and may be displaying the traps.  This does not mean that SPECTRUM is the source of the authentication failures.  You can enable a sniffer trace and take a look at the packets.  If there are unsolicited traps for authentication failures, then the SpectroSERVER is not the cause of the failures.