cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6817
Views
20
Helpful
5
Replies

Anyconnect session accounting via radius or syslog ?

eagles-nest
Level 1
Level 1

Hi

Does anyone have a deployed accounting method to log Anyconnect session details ?  Do you do it via a radius server or via logging messages to a syslog server ?

If so could you assist with appropriate configuration ?  I am looking to log successful and unsuccessful authentications as well as session length, log on and log off times.

I've been playing around with Anyconnect authenticating to AD via ACS 5.1 but can't seem to get the accounting details I require.  Similarly I have tried to catch appropriate syslog messages but again without much success.

Many thanks for any input, St.

1 Accepted Solution

Accepted Solutions

Jatin Katyal
Cisco Employee
Cisco Employee

What all you have configured for radius accounting on ASA?

Can you paste the o/p of show run aaa-server and show run tunnel-group

Basically all you need to define radius server group and call that group under tunnel-group parameters.

!--- Configure the AAA Server group.

ciscoasa(config)# aaa-server RAD_SRV_GRP protocol RADIUS

ciscoasa(config-aaa-server-group)# exit

!--- Configure the AAA Server.

ciscoasa(config)# aaa-server RAD_SRV_GRP (inside) host 192.168.1.2

ciscoasa(config-aaa-server-host)# key secretkey

ciscoasa(config-aaa-server-host)# exit

!--- Configure the tunnel group to use the new AAA setup.

ciscoasa(config)# tunnel-group ExampleGroup1 general-attributes

ciscoasa(config)#accounting-server-group RAD_SRV_GRP.

Once done, you can then establish a session and check radius accounting detailed packet on ACS 5.x >> Monitoring and reports > catalog > aaa protocols > radius accounting.

In case you don't see radius accounting after following the above steps then please turn on the "debug aaa accouting and debug radius on ASA". This way we can check whether ASA is sending the accountinf session details to ACS or not.

Regards,

Jatin Katyal


- Do rate helpful posts -

~Jatin

View solution in original post

5 Replies 5

eagles-nest
Level 1
Level 1

As a follow on to my initial questions would logging lists be a suitable method to select the appropriate logging messages and send them to one specific syslog server ? I tried playing around with logging lists and while I could create a list with a number of message IDs in it I couldn't find a way to apply that list to its own syslog server. Has anyone deployed logging lists for this type of purpose ?

Thanks, St.


Sent from Cisco Technical Support Android App

Jatin Katyal
Cisco Employee
Cisco Employee

What all you have configured for radius accounting on ASA?

Can you paste the o/p of show run aaa-server and show run tunnel-group

Basically all you need to define radius server group and call that group under tunnel-group parameters.

!--- Configure the AAA Server group.

ciscoasa(config)# aaa-server RAD_SRV_GRP protocol RADIUS

ciscoasa(config-aaa-server-group)# exit

!--- Configure the AAA Server.

ciscoasa(config)# aaa-server RAD_SRV_GRP (inside) host 192.168.1.2

ciscoasa(config-aaa-server-host)# key secretkey

ciscoasa(config-aaa-server-host)# exit

!--- Configure the tunnel group to use the new AAA setup.

ciscoasa(config)# tunnel-group ExampleGroup1 general-attributes

ciscoasa(config)#accounting-server-group RAD_SRV_GRP.

Once done, you can then establish a session and check radius accounting detailed packet on ACS 5.x >> Monitoring and reports > catalog > aaa protocols > radius accounting.

In case you don't see radius accounting after following the above steps then please turn on the "debug aaa accouting and debug radius on ASA". This way we can check whether ASA is sending the accountinf session details to ACS or not.

Regards,

Jatin Katyal


- Do rate helpful posts -

~Jatin

Many thanks Jatin

I was just logging in with an update to say I had this working with both Syslog and Radius accounting.  Radius is obviously better but logging is giving acceptable information with

logging list Anyconnect message 113015

logging list Anyconnect message 113019

logging list Anyconnect message 716002

logging list Anyconnect message 722051

logging trap Anyconnect

logging facility 16

logging device-id string VPN-ASA

logging host inside x.x.x.x

I think I just needed to find the time and brain cells to invest in finding this but many thanks for the response.

St.

Glad to know issue has been resolved. I appreciate your efforts too.

Jatin Katyal

~Jatin

Hi Jatin,

Can you tell us if vpn accounting is possible on Cisco ASA, like if I want to check what all devices users accessed after connecting to VPN (VPN - Remote Access and client is Cisco VPN Client) through ACS

Thanks

Appreciate your response