Request Demo
Features Use Cases About Documentation Contact Request Demo

NAC Tracer

Debug authentication flows step by step

What Is NAC Tracer?

NAC Tracer is your window into what Warden does during authentication. When something doesn't work, NAC Tracer shows you exactly what happened - every step, every decision, every attribute. No more guessing.

Think of it as a debug log with a friendly interface. Instead of grep'ing through text files, you get a visual trace of the authentication flow.

When to Use NAC Tracer

  • Authentication fails - See exactly why it was rejected
  • Wrong VLAN assigned - Check which attributes were returned
  • Policy debugging - Verify which rules matched
  • 2FA issues - See if 2FA was required, provided, or failed
  • Performance analysis - Identify slow identity providers
  • Learning Warden - Understand how authentication flows work

How NAC Tracer Works

NAC Tracer is always running in the background. Every authentication attempt is captured and stored automatically - you don't need to "start" a trace. Just open NAC Tracer and your authentication history is already there.

90-Day History

Traces are retained for 90 days, or longer for high-volume deployments based on available disk space.

pause_circle
Pause Live Output

Use the pause button to freeze the live feed while you examine a specific trace without new events pushing it off screen.

  1. Navigate to NAC Tracer in the sidebar
  2. View authentication events as they stream in real-time
  3. Click Pause to freeze the output while examining traces
  4. Use filters to narrow down to specific users, hosts, or time ranges
  5. Click any trace to see the full step-by-step authentication flow

Tip: If you're troubleshooting, try authenticating and then check NAC Tracer - your attempt will already be captured. Use filters if there's a lot of other traffic.

Reading a Trace

Each trace shows the authentication journey as a series of steps:

Host Identified 0ms
Host: Core-Switch-1 (10.0.1.1)
Policy Loaded 1ms
Policy: Corp-WiFi-Standard
User Authenticated 45ms
User: jsmith via Active Directory
2FA Verified 52ms
Method: TOTP (appended)
Access Rules Passed 53ms
Rule: Allow IT_Staff matched
Access-Accept 54ms
VLAN: 100, Session-Timeout: 28800

Step Types

Success

Step completed successfully

Failure

Step failed - usually indicates why auth failed

Skipped

Step not needed (e.g., 2FA not required)

Info

Informational - additional context

Trace Details

Click any step to see full details:

Timestamp

Exact time and duration of each step

Request Data

RADIUS attributes received from the network device

Identity Provider

Which provider was queried and its response

User Info

Username, groups, and attributes from directory

Policy Match

Which policy and rules were evaluated

Response Attributes

All RADIUS attributes returned in Access-Accept

Filtering Traces

With lots of traffic, use filters to find specific authentications:

Username

Show only traces for a specific user

Host

Filter by the network device (NAS)

MAC Address

Filter by client's Calling-Station-Id

Result

Show only Accept or Reject

Time Range

Limit to specific time window

Exporting Traces

Export traces for deeper analysis or to share with support:

  1. Select the trace(s) you want to export
  2. Click Export
  3. Choose format (JSON for programmatic use, or readable text)
  4. Download the file

For support tickets: Include an exported trace when reporting authentication issues. It gives us everything we need to help quickly.

What's Next?

Back to Help Overview