12-08-2008 06:45 AM - edited 03-10-2019 04:13 PM
Greetings All
Authentication of users behind ASA 5505 connected to VPN3000 Concentrator with EasyVPN
According to the law in a certain country, we need to log the following:
Time & Datestamp
Username/ip address of the pc inside
Which sites they have visited (ip's, URL's etc..)
Eg. 11/4-2008 domain\john ip 192.168.2.23 visited ip 212.232.232.21/80
I would like to achieve this with using the ASA 5505 and my Cisco ACS 4.1 on my LAN behind the VPN3000 Concentrator.
Im trying to setup forced authentication for the users on the inside interface (lan) of the ASA5505. I need to force them to authenticate before they will be able to get any access outside their lan.
I have read on the forum, and tried som different solutions, but not been able to get any solution to work with all the needed info and also to work in conjunction with EasyVPN (Network Extension-Mode).
I tried with cut-thru proxy solution from the guide here:
It does not work, because the include/exclude statements is not allowed in conjunction with EasyVPN.
Error: WARNING: <_vpnc_nwp_acl> found duplicate element
WARNING: <_vpnc_nwp_acl> found duplicate element
Hybrid configurations using 'match' and 'include|exclude' are not supported
I have then looked at enabling "Individual User Authentication (IUA)", but since Im using split-tunneling, it seemes like its only for the
tunnelled networks authentication is enforced. And I dont want to tunnell all- hence the repsone-times to the remote site is very high.
Last I tried to make som HTTP redirect with aaa authentication listener http[s] interface_name [port portnum] [redirect], but thats also not
allowed in conjunction with EasyVPN.
Error:
* Remove 'aaa authentication listener' configuration
CONFIG CONFLICT: Configuration that would prevent successful Cisco Easy VPN Remote
operation has been detected, and is listed above. Please resolve the
above configuration conflict(s) and re-enable.
The ASA is currently running IOS 7.2(4), but there's no problem in upgrading it to 8.0(4) if that could help me make a solution.
Is it possible to make this work somehow ?
/Claus
12-11-2008 11:44 AM
Hello Claus,
Have you tried downloadable access lists in combination with the ACS for the authentication? You can then use the accounting options of that downloadable access list to register who has done what.
You can do this in combination with the virtual http listener or the virtual telnet listener.
Check out: http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/fwaaa.html
Hope this helps
Regards
P-J Nefkens
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide