cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2765
Views
3
Helpful
4
Replies

AAA Accounting for AnyConnect?

kmanning1
Level 1
Level 1

Is it possible to send AAA accounting data from my firewall for AnyConnect to my TACACS server? Mainly interested in remote user connected and disconnected data.

One article I was reading said using "aaa accounting enable console GROUPNAME" would send that type of accounting data to the servers in the group but that doesn't seem right. The command states its for administrative access accounting. 

Any help would be appreciated. 

1 Accepted Solution

Accepted Solutions

I was able to get what I was looking for using TACACS+ with the free TACACS.net software. 

This was all in a GNS3 Lab so not worried about made up IP addresses. 

Firewall config:

Specify server group and the host with key(I called it TACACS):

aaa-server TACACS protocol tacacs+

aaa-server TACACS (inside) host 10.180.10.50
   key *****

Specify the accounting server group under the general attributes for the tunnel group:

tunnel-group AnyConnect general-attributes
    accounting-server-group TACACS

That enables accounting data to be sent to my TACACS+ server giving me the information I was wanting. With it showing connects and disconnects with username and IP information:

<102> 2017-02-16 12:40:25 [10.0.10.10:14807] 02/16/2017 12:40:25 NAS_IP=10.0.10.10 Port=4096 rem_addr=10.150.10.50 User=user1 Flags=Start task_id=b4000001 foreign_ip=10.150.10.50 local_ip=45.23.50.78 service=shell
<102> 2017-02-16 12:42:00 [10.0.10.10:61486] 02/16/2017 12:42:00 NAS_IP=10.0.10.10 Port=4096 rem_addr=10.150.10.50 User=user1 Flags=Stop task_id=b4000001 foreign_ip=10.150.10.50 local_ip=45.23.50.78 service=shell elapsed_time=95 bytes_in=5886 bytes_out=10990 paks_in=63 paks_out=12 disc-cause=1

AnyConnect user was user1

NAS IP (Inside address for my lab Firewall): 10.0.10.10

Flags=Start is the connect

Flags=Stop is the disconnect

foreign_ip is the IP of the user: 10.150.10.50

locl_ip is the "public" IP I gave to my lab firewall: 45.23.50.78

So I am able to tell who is connecting from where and with what username. 

View solution in original post

4 Replies 4

nspasov
Cisco Employee
Cisco Employee

Hi there! What type of accounting are you looking for? Are you talking about command level accounting on the ASA issued by users connected over AnyConnect? If so, you can enable command level account for the desired privilege level (0-15) or all of them. For instance, for privilege level 15 you would configure:

aaa accounting command privilege 15 your_tacacs_server_group

I hope this helps!

Thank you for rating helpful posts!

Hello,

No, I can get the command accounting working fine. I am trying to get some basic accounting for VPN connections using the AnyConnect client. Similar to what the syslog gives:

%ASA-4-113019: Group = GroupName, Username = user, IP = X.X.X.X, Session disconnected. Session Type: AnyConnect-Parent, Duration: 0h:01m:02s, Bytes xmt: 10754, Bytes rcv: 19675, Reason: User Requested

I was looking into configuring it like this:

aaa-server GROUPNAME protocol tacacs+

aaa-server GROUPNAME (inside) host X.X.X.X

 key secretkey

tunnel-group GROUP general-attributes

 accounting-server-group GROUPNAME

I think that will dump accounting data to my server. Now what that data looks like I am working on testing. 

I have not done this with TACACS+ but have it working in my lab with RADIUS. Typically you would use TACACS+ for device administration and RADIUS for dot1x and remote-access authentication. I get very detailed accounting info. There is also good thread in here with similar request:

https://supportforums.cisco.com/discussion/11745731/anyconnect-session-accounting-radius-or-syslog

Thank you for rating helpful posts!

I was able to get what I was looking for using TACACS+ with the free TACACS.net software. 

This was all in a GNS3 Lab so not worried about made up IP addresses. 

Firewall config:

Specify server group and the host with key(I called it TACACS):

aaa-server TACACS protocol tacacs+

aaa-server TACACS (inside) host 10.180.10.50
   key *****

Specify the accounting server group under the general attributes for the tunnel group:

tunnel-group AnyConnect general-attributes
    accounting-server-group TACACS

That enables accounting data to be sent to my TACACS+ server giving me the information I was wanting. With it showing connects and disconnects with username and IP information:

<102> 2017-02-16 12:40:25 [10.0.10.10:14807] 02/16/2017 12:40:25 NAS_IP=10.0.10.10 Port=4096 rem_addr=10.150.10.50 User=user1 Flags=Start task_id=b4000001 foreign_ip=10.150.10.50 local_ip=45.23.50.78 service=shell
<102> 2017-02-16 12:42:00 [10.0.10.10:61486] 02/16/2017 12:42:00 NAS_IP=10.0.10.10 Port=4096 rem_addr=10.150.10.50 User=user1 Flags=Stop task_id=b4000001 foreign_ip=10.150.10.50 local_ip=45.23.50.78 service=shell elapsed_time=95 bytes_in=5886 bytes_out=10990 paks_in=63 paks_out=12 disc-cause=1

AnyConnect user was user1

NAS IP (Inside address for my lab Firewall): 10.0.10.10

Flags=Start is the connect

Flags=Stop is the disconnect

foreign_ip is the IP of the user: 10.150.10.50

locl_ip is the "public" IP I gave to my lab firewall: 45.23.50.78

So I am able to tell who is connecting from where and with what username.