5633 A request was made to authenticate to a wired network
Written when authentication to a wired network is requested. It captures wired-LAN authentication attempts via 802.1X and the like.
Overview
The subcategory is Audit Other Logon/Logoff Events. It is generated when an authentication request to a wired network using 802.1X or similar is made. It is the wired counterpart to the wireless version 5632. There are success (S) and failure (F) variants.
How it is triggered
- An authentication request when a device connects to a wired LAN (a switch port with 802.1X authentication, etc.).
Security review points
- You can learn which account/device attempted to authenticate to the wired network. In a NAC (network access control) environment, note connections by unexpected devices or bursts of failures.
- Together with the wireless version 5632, track network-connection authentication.
Notes for log review
- It only carries meaning in environments running 802.1X. Match the device and account against normal patterns.
- Note concentrations of failures or connections by unauthorized devices.
Key fields
| Field | Meaning |
|---|---|
Account Name | The account that requested authentication |
| Network information | The target wired network |