02-23-2013 01:00 PM - edited 02-21-2020 06:43 PM
Hi
Does anyone have a deployed accounting method to log Anyconnect session details ? Do you do it via a radius server or via logging messages to a syslog server ?
If so could you assist with appropriate configuration ? I am looking to log successful and unsuccessful authentications as well as session length, log on and log off times.
I've been playing around with Anyconnect authenticating to AD via ACS 5.1 but can't seem to get the accounting details I require. Similarly I have tried to catch appropriate syslog messages but again without much success.
Many thanks for any input, St.
Solved! Go to Solution.
02-24-2013 03:24 AM
What all you have configured for radius accounting on ASA?
Can you paste the o/p of show run aaa-server and show run tunnel-group
Basically all you need to define radius server group and call that group under tunnel-group parameters.
!--- Configure the AAA Server group.
ciscoasa(config)# aaa-server RAD_SRV_GRP protocol RADIUS
ciscoasa(config-aaa-server-group)# exit
!--- Configure the AAA Server.
ciscoasa(config)# aaa-server RAD_SRV_GRP (inside) host 192.168.1.2
ciscoasa(config-aaa-server-host)# key secretkey
ciscoasa(config-aaa-server-host)# exit
!--- Configure the tunnel group to use the new AAA setup.
ciscoasa(config)# tunnel-group ExampleGroup1 general-attributes
ciscoasa(config)#accounting-server-group RAD_SRV_GRP.
Once done, you can then establish a session and check radius accounting detailed packet on ACS 5.x >> Monitoring and reports > catalog > aaa protocols > radius accounting.
In case you don't see radius accounting after following the above steps then please turn on the "debug aaa accouting and debug radius on ASA". This way we can check whether ASA is sending the accountinf session details to ACS or not.
Regards,
Jatin Katyal
- Do rate helpful posts -
02-24-2013 01:41 AM
As a follow on to my initial questions would logging lists be a suitable method to select the appropriate logging messages and send them to one specific syslog server ? I tried playing around with logging lists and while I could create a list with a number of message IDs in it I couldn't find a way to apply that list to its own syslog server. Has anyone deployed logging lists for this type of purpose ?
Thanks, St.
Sent from Cisco Technical Support Android App
02-24-2013 03:24 AM
What all you have configured for radius accounting on ASA?
Can you paste the o/p of show run aaa-server and show run tunnel-group
Basically all you need to define radius server group and call that group under tunnel-group parameters.
!--- Configure the AAA Server group.
ciscoasa(config)# aaa-server RAD_SRV_GRP protocol RADIUS
ciscoasa(config-aaa-server-group)# exit
!--- Configure the AAA Server.
ciscoasa(config)# aaa-server RAD_SRV_GRP (inside) host 192.168.1.2
ciscoasa(config-aaa-server-host)# key secretkey
ciscoasa(config-aaa-server-host)# exit
!--- Configure the tunnel group to use the new AAA setup.
ciscoasa(config)# tunnel-group ExampleGroup1 general-attributes
ciscoasa(config)#accounting-server-group RAD_SRV_GRP.
Once done, you can then establish a session and check radius accounting detailed packet on ACS 5.x >> Monitoring and reports > catalog > aaa protocols > radius accounting.
In case you don't see radius accounting after following the above steps then please turn on the "debug aaa accouting and debug radius on ASA". This way we can check whether ASA is sending the accountinf session details to ACS or not.
Regards,
Jatin Katyal
- Do rate helpful posts -
02-24-2013 09:12 AM
Many thanks Jatin
I was just logging in with an update to say I had this working with both Syslog and Radius accounting. Radius is obviously better but logging is giving acceptable information with
logging list Anyconnect message 113015
logging list Anyconnect message 113019
logging list Anyconnect message 716002
logging list Anyconnect message 722051
logging trap Anyconnect
logging facility 16
logging device-id string VPN-ASA
logging host inside x.x.x.x
I think I just needed to find the time and brain cells to invest in finding this but many thanks for the response.
St.
02-24-2013 12:29 PM
Glad to know issue has been resolved. I appreciate your efforts too.
Jatin Katyal
01-06-2017 05:26 AM
Hi Jatin,
Can you tell us if vpn accounting is possible on Cisco ASA, like if I want to check what all devices users accessed after connecting to VPN (VPN - Remote Access and client is Cisco VPN Client) through ACS
Thanks
Appreciate your response
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide