RADIUS / TACACS+ Authentication Logs

NetworkAuthentication & AccessSIEM / Log Aggregator

Location

RADIUS server logs (FreeRADIUS, NPS, Cisco ISE) or TACACS+ server logs (Cisco ISE, tac_plus)

Description

AAA (Authentication, Authorization, Accounting) protocol logs from RADIUS and TACACS+ servers recording every network device authentication attempt, authorization decision, and accounting record. TACACS+ additionally captures full command-line audit for network device administration.

Forensic Value

RADIUS/TACACS+ logs are the authoritative source for network infrastructure authentication. TACACS+ command accounting records every CLI command executed on routers, switches, and firewalls, providing a complete audit trail of network device administration. RADIUS accounting records VPN session data, wireless association details, and 802.1X NAC decisions. Failed authentication events detect brute-force attacks against network infrastructure. These logs are critical when investigating network device compromise or unauthorized configuration changes.

Tools Required

SIEM (Splunk, Elastic)Cisco ISE Admin ConsoleFreeRADIUS debug logsgrep

Collection Commands

FreeRADIUS

cat /var/log/freeradius/radius.log | grep -E "Login (OK|incorrect)" > radius_auth_events.txt

Cisco ISE

curl -k -X GET "https://<ise-host>/admin/API/mnt/Session/AuthList" -H "Accept: application/xml" -u admin:password > ise_auth_sessions.xml

Splunk

index=radius earliest=-30d | stats count by User_Name, NAS_IP_Address, Acct_Status_Type | sort -count | head 100

MITRE ATT&CK Techniques

T1078T1110T1133T1021T1562.004

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical