RADIUS / TACACS+ Authentication Logs

networkAuthentication & AccessSIEM / Log Aggregator

Location

RADIUS server logs (FreeRADIUS, NPS, Cisco ISE) or TACACS+ server logs (Cisco ISE, tac_plus)

Description

AAA (Authentication, Authorization, Accounting) protocol logs from RADIUS and TACACS+ servers recording every network device authentication attempt, authorization decision, and accounting record. TACACS+ additionally captures full command-line audit for network device administration.

Forensic Value

RADIUS/TACACS+ logs are the authoritative source for network infrastructure authentication. TACACS+ command accounting records every CLI command executed on routers, switches, and firewalls, providing a complete audit trail of network device administration. RADIUS accounting records VPN session data, wireless association details, and 802.1X NAC decisions. Failed authentication events detect brute-force attacks against network infrastructure. These logs are critical when investigating network device compromise or unauthorized configuration changes.

Tools Required

SIEM (Splunk, Elastic)Cisco ISE Admin ConsoleFreeRADIUS debug logsgrep

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical