RADIUS / TACACS+ Authentication Logs

networkAuthentication & AccessSIEM / Log Aggregator

Location

RADIUS server logs (FreeRADIUS, NPS, Cisco ISE) or TACACS+ server logs (Cisco ISE, tac_plus)

Description

AAA (Authentication, Authorization, Accounting) protocol logs from RADIUS and TACACS+ servers recording every network device authentication attempt, authorization decision, and accounting record. TACACS+ additionally captures full command-line audit for network device administration.

Forensic Value

RADIUS/TACACS+ logs are the authoritative source for network infrastructure authentication. TACACS+ command accounting records every CLI command executed on routers, switches, and firewalls, providing a complete audit trail of network device administration. RADIUS accounting records VPN session data, wireless association details, and 802.1X NAC decisions. Failed authentication events detect brute-force attacks against network infrastructure. These logs are critical when investigating network device compromise or unauthorized configuration changes.

Tools Required

SIEM (Splunk, Elastic)Cisco ISE Admin ConsoleFreeRADIUS debug logsgrep