Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
699
Views
0
Helpful
2
Replies

Certificate CN as Accounting User-Name

daleschultz
Level 1
Level 1

‎12-17-2013 08:20 AM - edited ‎03-10-2019 09:11 PM

Hi:

I have DMVPN peers set to use RSA signatures for setting up IKE phase 1.

Is it possible to get the certificate common name (CN=) to show up in AAA accounting records?

I have not been able to find the appropriate PKI AAA commands to do this.

Currently this is all I get and the IP address (isakmp-initator-ip=) is an outside NAT so it is not a valid means to identify the peer in logs.

Dec 13 16:37:43.819 EST: RADIUS/ENCODE(000000BA):Orig. component type = VPN IPSEC

Dec 13 16:37:43.819 EST: RADIUS(000000BA): Config NAS IP: 192.168.66.129

Dec 13 16:37:43.819 EST: RADIUS(000000BA): Config NAS IPv6:

Dec 13 16:37:43.819 EST: RADIUS(000000BA): sending

Dec 13 16:37:43.819 EST: RADIUS(000000BA): Send Accounting-Request to 192.168.112.157:1646 id 1646/5, len 160

Dec 13 16:37:43.819 EST: RADIUS:  authenticator A2 4E 46 69 10 D0 18 F4 - 44 79 1C 98 3B 5C 9C DA

Dec 13 16:37:43.819 EST: RADIUS:  Acct-Session-Id     [44]  10  "000000B0"

Dec 13 16:37:43.819 EST: RADIUS:  Vendor, Cisco       [26]  41

Dec 13 16:37:43.823 EST: RADIUS:   Cisco AVpair       [1]   35  "isakmp-initator-ip=148.36.85.254"

Dec 13 16:37:43.823 EST: RADIUS:  Vendor, Cisco       [26]  36

Dec 13 16:37:43.823 EST: RADIUS:   Cisco AVpair       [1]   30  "connect-progress=No Progress"

Dec 13 16:37:43.823 EST: RADIUS:  Acct-Authentic      [45]  6   Local                     [2]

Dec 13 16:37:43.823 EST: RADIUS:  User-Name           [1]   2   ""

Dec 13 16:37:43.823 EST: RADIUS:  Acct-Status-Type    [40]  6   Start                     [1]

Dec 13 16:37:43.823 EST: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]

Dec 13 16:37:43.823 EST: RADIUS:  NAS-Port            [5]   6   0

Dec 13 16:37:43.823 EST: RADIUS:  NAS-Port-Id         [87]  15  "78.18.176.29"

Dec 13 16:37:43.823 EST: RADIUS:  NAS-IP-Address      [4]   6   192.168.66.129

Dec 13 16:37:43.823 EST: RADIUS:  Acct-Delay-Time     [41]  6   0

Dec 13 16:37:43.823 EST: RADIUS(000000BA): Sending a IPv4 Radius Packet

Dec 13 16:37:43.827 EST: RADIUS(000000BA): Started 2 sec timeout

Dec 13 16:37:43.831 EST: ISAKMP (1535): received packet from 148.36.85.254 dport 4500 sport 4500 Global (R) QM_IDLE

Labels:
0 Helpful
2 Replies 2

Tarik Admani
VIP Alumni
VIP Alumni

‎12-17-2013 09:35 PM

You will not be able to make the two work. You will have to use aggressive mode with psk if you want radius authentication. Here is an article that will help

https://supportforums.cisco.com/thread/2184936

Tarik Admani
*Please rate helpful posts*

0 Helpful

daleschultz
Level 1
Level 1
In response to Tarik Admani

‎12-18-2013 06:10 AM

Thanks, authentication is already working.  My question is about getting accounting records with the certificate CN showing up as the user-name in the accounting start record.

0 Helpful
Customers Also Viewed These Support Documents