This alert is generated when an API comes in which is authenticated as "admin". Nutanix recommends any script or third party application sending APIs to the cluster should use a service account rather than using 'admin'. You can read more about this alert from the article "Alert - ExternalClientAccessCheck"
If you are seeing this alert, it is informing you that some system is authenticating as admin. To aid in investigation the IP address is provided. The intent is that any 3rd party application or script should be using a service account and not ‘admin’ as this makes command auditing much more reasonable and helps keep the admin password secure.
When a third party application such as Veeam is set up to authenticate to the cluster as ‘admin’ that should generate this alert. If you log in to Prism Element as admin, access the REST API explorer, and then test an API you should see this alert because that’s your desktop sending an API as ‘admin’. Likewise if you set up a PowerShell script to send API's or use curl from a Linux system to send API calls to Prism and you are using the 'admin' account those actions should generate this alert.
If the source IP address belongs to a CVM you can usually just ignore the alert. Certain normal workflows triggered from Prism, such as LCM inventory, log collection, or licensing workflows, can incorrectly trigger this alert on current versions of AOS. If the time of alert generation aligns with one of those procedures and the source IP belongs to a CVM it is reasonably safe to ignore the alert. One known cause is described in the NCC release notes as a known issue:
“When collecting logs through the Prism web console, if you select Download Locally as the log file destination, you see an alert WARN message A300400 External Client Authentication after log collection completed. This is a cosmetic issue and can be safely ignored.”
Similarly in the AOS 5.16 release notes for LCM:
“The following alert might incorrectly generate during normal Controller VM workflows.
Warning: External Client Authentication.”