Re: Logging authentications from remote VPN users

mitchen · ‎09-30-2008

Our ASA firewall is configured with IP address pools for remote access.

Remote users connect over VPN, are authenticated against a CSACS/RSA database and then assigned an address from the appropriate pool on the ASA.

I would like to be able to log the user authentications so that I know when a user was connected, what IP address they were assigned from the ASA pool and when they disconnected from our network again.

Can anyone suggest how I might achieve this?

At the moment, the closest I have is the Passed Authentications log on the CSACS server (achieved by turning on aaa accounting on the ASA) which tells me when the user authenticated but does NOT tell me what IP address from the ASA pool was assigned to them.

Does anyone have any suggestions?

Thanks

ROBERTO GIANA · ‎09-30-2008

Hi

Just use RADIUS accounting!

Configure the ACS also as accounting server group. Then assign the configured accounting server group to the VPN-profile. Otherwise VPN-sessions will not be accounted.

After that you will find then all the information you're looking for on the ACS in the RADIUS-Accounting log.

The assigned IP is listed under "Framed-IP" address. Under Acct-Session-Time you will find the session duration in seconds. And so on...

Regards

Roberto

mitchen · ‎10-09-2008

Thanks for the help and apologies for the delay in replying to you - I got tied up with some other work.

I don't know if this makes any difference but we are actually using TACACS and so I have tried using TACACS accounting. I configured an accounting server group under the VPN profile. And things are being logged to the TACACS accounting log on the ACS.

However, it still doesn't tell me the address that has been assigned to the user from the ASA.

I get a column called "Caller-ID" which shows me the remote public address that the user is connecting from. And I have a column called "addr" which should, presumably, contain the IP address assigned by the ASA but it is just blank.

Does anyone have any idea how to rectify this?

Thanks!

ROBERTO GIANA · ‎10-09-2008

If you use RADIUS accounting instead of TACACS+ accounting, then the assigned tunnel IP address is listed in the column "Framed-IP-Address". Please make shure that the log settings of the ACS are configured to list this column. That's how I do the accounting on our infrastructure.

If necessary you can still run authentication and authorization using TACACS+. :-) But we use TACACS+ for device administration and RADIUS for user access.

mitchen · ‎10-10-2008

Thanks, could you offer some more advice on how I would actually go about setting up RADIUS Accounting only?

On my ASA, I've configured the following:

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host w.x.y.z

key radiuskey

Then under my VPN group set-up I have added:

accounting-server-group RADIUS

However, I'm not sure what exactly I need to configure on the ACS side of things?

I didn't want to mess about too much with our existing ACS set-up (it was actually set up by a 3rd party so I have limited info on what has been configured!) as I don't want to inadvertently disrupt user authentications etc!

But if you could tell me how I would go about setting it up for RADIUS accounting only (while the authentication and authorization remains as TACACS+) then that would be greatly appreciated!

mitchen · ‎10-10-2008

Hello again.

Its ok - I managed to work it out and have it working successfully!

As you said, once I configured the RADIUS accounting correctly, the Framed IP address gives me the info I need.

Thanks for your help - very much appreciated!