Authentication Logs – Monitor RADIUS Login Attempts and Results
Overview
Section titled “Overview”The Authentication Logs page provides a comprehensive, real-time view of all RADIUS authentication events processed by MideyeServer. Every login attempt — whether successful, failed, or timed out — is recorded with detailed metadata including the username, calling station ID, authentication type, RADIUS client, and fraud score.
Use this page to investigate authentication issues, verify that multi-factor authentication (MFA) is functioning correctly, identify suspicious login patterns, and create static filter rules to block malicious actors. The authentication log is an essential tool for security monitoring, compliance auditing, and troubleshooting user access problems in your RADIUS infrastructure.
Authentication logs support advanced filtering by date range, username, calling station ID, authentication type, authentication result, and RADIUS client — enabling rapid identification of specific events across large volumes of authentication data.
Access & Permissions
Section titled “Access & Permissions”Required Role: ROOT, SUPER_ADMIN, ADMIN, or OPERATOR
Navigation: Home → Logs → Authentication Logs
| Role | View Logs | View Details | Create Filter Rules |
|---|---|---|---|
| ROOT | ✅ | ✅ | ✅ |
| SUPER_ADMIN | ✅ | ✅ | ✅ |
| ADMIN | ✅ | ✅ | ✅ |
| OPERATOR | ✅ | ✅ | ❌ |
Features & Configuration
Section titled “Features & Configuration”Viewing Authentication Events
Section titled “Viewing Authentication Events”The main data grid displays authentication events in a paginated, sortable table. By default, logs are sorted by time in descending order (newest first) and the page loads with today’s date range pre-selected.
Default visible columns:
| Column | Description |
|---|---|
| Time | Timestamp of the authentication event (always visible) |
| Username | The user identity that attempted authentication |
| MSISDN | Mobile phone number associated with the user |
| Authentication Type | Method used for authentication (SMS, Mobile App, Token, etc.) |
| Fraud Score | IP reputation score from Mideye Shield (displays ”–” if unavailable) |
| Result | Color-coded outcome: green (Successful), red (Failed), yellow (Timed Out) |
Hidden by default (can be enabled via column visibility settings):
| Column | Description |
|---|---|
| RADIUS Client | The NAS or network device that initiated the authentication request |
| Calling Station ID | The originating IP address or MAC address of the end user |
Filtering Authentication Logs
Section titled “Filtering Authentication Logs”Click the Filter icon in the toolbar to open the filter panel. All text-based filters use debounced input (1-second delay) to reduce unnecessary server requests.
| Filter | Type | Description |
|---|---|---|
| Start Date | Date picker | Beginning of the time range (defaults to today at midnight) |
| End Date | Date picker | End of the time range (defaults to end of today) |
| Username | Text input | Search by username (partial match) |
| Calling Station ID | Text input | Search by originating IP or MAC address |
| Authentication Types | Multi-select | Filter by one or more authentication methods |
| RADIUS Clients | Multi-select | Filter by one or more RADIUS client names (dynamically populated) |
| Authentication Results | Multi-select | Filter by outcome: Successful, Failed, Timed Out |
Available Authentication Types:
PASSWORD— Password-only (1FA) authenticationMOBILE— SMS OTP deliveryTOKEN— Hardware or software tokenCONCAT— Password concatenated with OTPPLUS— Mideye Plus (push notification)TOUCH— Touch-based approvalTOUCH_PLUS— Touch with Plus activationTOUCH_MOBILE— Touch with mobile fallbackASSISTED_LOGIN— Approver-assisted loginSHARED_ACCOUNT— Shared account authenticationON_PREM— On-premises hardware token (OATH)PASSWORD_RESET— Password reset flowMAGIC_LINK— Magic link authentication
Click Apply to execute the filter, or Reset to clear all filter fields.
Viewing Event Details
Section titled “Viewing Event Details”Click any row in the data grid to open the detail drawer on the right side of the screen. The drawer displays:
- Time — Event timestamp
- Username — Authenticated user identity
- MSISDN — Mobile phone number
- Calling Station ID — Originating address (if available)
- Country Code — Geographic origin (or “N/A” if unavailable)
- Called Station ID — Target address (if available)
- Authentication Type — Method used
- RADIUS Client — NAS device name
- Result — Authentication outcome
- Mideye Server — Processing server instance
- Info — Additional context (if available)
Below the summary, the Details section renders the full authentication event trace as an expandable tree structure. Node entries can be expanded to reveal nested key-value pairs with translated labels.
Creating Static Filter Rules from Failed Attempts
Section titled “Creating Static Filter Rules from Failed Attempts”When viewing a failed authentication event, the detail drawer displays Block buttons next to the Username and Calling Station ID fields. Clicking a Block button opens a dialog to create a new static filter rule that blocks future authentication attempts matching that value.
Create Static Filter Rule Dialog:
| Field | Type | Validation | Description |
|---|---|---|---|
| Comment | Text | Max 255 characters | Optional note explaining why the rule was created |
The rule is created with action BLOCK and operator EQUAL_TO. If an identical rule already exists, an informational message is displayed instead.
Field Reference
Section titled “Field Reference”| Field Name | Type | Description |
|---|---|---|
| time | DateTime | Timestamp when the authentication event occurred |
| username | String | User identity used in the authentication attempt |
| msisdn | String | Mobile phone number of the user |
| callingStationId | String | Originating IP address or MAC address of the client device |
| authType | Enum | Authentication method used (PASSWORD, MOBILE, TOKEN, etc.) |
| fraudScore | Integer | IP reputation score from Mideye Shield (null if unavailable) |
| result | Enum | Authentication outcome: SUCCESSFUL, FAILED, TIMED_OUT |
| radiusClient | String | Name of the RADIUS client (NAS) that sent the request |
| countryCode | String | Two-letter country code of the originating IP |
| calledStationId | String | Target network address |
| mideyeServer | String | Server instance that processed the request |
| info | String | Additional context or error information |
Actions
Section titled “Actions”Refresh
Section titled “Refresh”Purpose: Reload the authentication log data from the server. Steps: Click the refresh (loop) icon in the toolbar. Result: The data grid reloads with the latest events matching the current filter criteria.
Filter
Section titled “Filter”Purpose: Narrow down displayed authentication events by specific criteria. Steps:
- Click the filter icon in the toolbar.
- Set desired filter values (date range, username, etc.).
- Click Apply.
Result: The data grid updates to show only events matching all specified filter criteria.
Block Username or Calling Station ID
Section titled “Block Username or Calling Station ID”Purpose: Create a static filter rule to block future authentication attempts from a specific username or IP address.
Prerequisites: The authentication event must have a FAILED result.
Steps:
- Click a failed authentication row to open the detail drawer.
- Click the Block button next to the Username or Calling Station ID.
- Optionally enter a comment (max 255 characters).
- Click Block to create the rule.
Result: A new static filter rule is created with action BLOCK and operator EQUAL_TO for the selected attribute and value.
Common Use Cases
Section titled “Common Use Cases”Investigating a User’s Login Failure
Section titled “Investigating a User’s Login Failure”- Open the filter panel and set the date range to the relevant time period.
- Enter the username in the Username filter.
- Select “Failed” in the Authentication Results filter.
- Click Apply.
- Click on a failed event to view the full authentication trace in the detail drawer.
- Examine the Details tree to identify the root cause (invalid password, expired token, locked account, etc.).
Monitoring for Brute Force Attacks
Section titled “Monitoring for Brute Force Attacks”- Filter by Authentication Result: “Failed”.
- Sort by time (descending) to see the latest failures.
- Look for patterns: repeated failures from the same Calling Station ID or against the same username.
- Review the Fraud Score column for high-risk IP addresses.
- Use the Block action on suspicious entries to create filter rules.
Verifying MFA Configuration
Section titled “Verifying MFA Configuration”- Filter by a specific Authentication Type (e.g., PLUS, TOUCH, or MOBILE).
- Verify that authentication events of the expected type appear for the target users.
- Check that results show “Successful” for properly configured users.
Troubleshooting
Section titled “Troubleshooting”| Issue | Possible Cause | Resolution |
|---|---|---|
| No logs appear | Date range too narrow | Expand the date range or reset filters |
| Missing RADIUS client in filter | Client recently created | Refresh the page to reload the client list |
| Fraud score shows ”–“ | Mideye Shield disabled or IP not scored | Verify Mideye Shield is enabled and configured |
| Block button not visible | Event is not a failed attempt | Block is only available for FAILED results |
| Block button not visible | Insufficient permissions | Block requires ADMIN role or higher |
Related Pages
Section titled “Related Pages”- Static Filter Rules — Manage the filter rules created from authentication log blocking actions
- Blocked Attempts — View authentication attempts blocked by filter rules or Mideye Shield
- Mideye Shield Configuration — Configure fraud score thresholds and automated blocking
- RADIUS Clients — Manage the NAS devices that appear in authentication logs