Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
803
Views
0
Helpful
7
Replies

Cisco ACS 5.6 for Accounting Only

bm_5789
Level 1
Level 1

‎08-26-2016 04:21 PM - edited ‎03-11-2019 12:02 AM

Here is my situation:

Users will connect using AnyConnect to a Cisco 5525.  The 5525 will send the AD credentials to a NPS server for authorization.  The NPS server(windows 2008 server) will accept/reject credentials.  If accepted, the user will start a session and disconnect when finished.  So there is a start and stop for that session.

Currently, I do not have any device receiving the Radius Accounting information.  So I was asked to configure my Cisco ACS 5.6 to be the Accounting server.

Is it possible to have the acs 5.6 function solely as the accounting server?  If it can, some configuration help would be nice.  TIA

Labels:
0 Helpful
7 Replies 7

Gagandeep Singh
Cisco Employee
Cisco Employee

‎08-27-2016 11:07 AM

Hi,

Yes, you can configure ACS for tacacs and radius accounting both.

This command enables the TACACS+ protocol and use the name TACACS+ as the AAA server group.

ciscoasa (config)# aaa-server TACACS+ protocol tacacs+

This command specifies the TACACS+ server’s IP address. If you notice there’s a (inside) keyword in the command. This basically tells the ASA which interface to send the TACACS+ traffic. If the TACACS+ server is actually in the outside interface, then you just change it to outside.

aaa-server TACACS+ (inside) host 192.168.100.200 tacacs-key

See more at: http://networkjutsu.com/enabling-aaa-on-cisco-asa/#sthash.ltMKrj5f.dpuf

Note : same can be configure for RADIUS protocol.

Hope it helps!!!!

Regards

Gagan

0 Helpful

bm_5789
Level 1
Level 1
In response to Gagandeep Singh

‎08-27-2016 12:58 PM

Didn't really answer the question, but thanks anyways.

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee

‎08-27-2016 05:00 PM

oh yes, this is very much possible. All you need to have your ACS 5.6 defined inside the tunnel-group configuration as an accounting server. This would let you send the authentication request to NPS server and accounting start/stop to ACS server.

tunnel-group TEST type remote-access
tunnel-group TEST general-attributes
 address-pool ISE
 authentication-server-group NPS_AUTH
 accounting-server-group ACS-ACCT

If in case you'd like to verify the same from the debugs - enable "debug aaa common 255" & initiate the VPN connection. Look for the snippet I've pasted below for validation and then check the same on NPS under event viewer ( for authentication) and ACS 5.6 ( Mnt > Reports > acs reports > radius accounting > run).

Initiating authentication to primary server (Svr Grp: NPS_AUTH)
------------------------------------------------
AAA FSM: In AAA_BindServer
AAA_BindServer: Using server: 1.1.1.1

Initiating accounting transaction (Svr Grp: ACS-ACCT)
------------------------------------------------
AAA FSM: In AAA_BindServer
AAA_BindServer: Using server: 2.2.2.2

Cheers

Jatin

~Jatin
0 Helpful

bm_5789
Level 1
Level 1
In response to Jatin Katyal

‎08-28-2016 04:39 AM

Thank you for your response.  My problem is configuring the ACS.  It is quite different than the ACS 4.2.

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to bm_5789

‎08-28-2016 06:31 AM

No configuration required on ACS if you JUST need to see radius start/stop accounting.

~ Jatin

~Jatin
0 Helpful

bm_5789
Level 1
Level 1
In response to Jatin Katyal

‎08-28-2016 07:54 AM

Ok, I will try your recommendations.  Thanks for your help.

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to bm_5789

‎08-28-2016 08:54 AM

sure - keep this thread updated.

~ Jatin

~Jatin
0 Helpful
Customers Also Viewed These Support Documents