Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
852
Views
20
Helpful
8
Replies

ASA VPN AnyConnect After forcing logout, how to check who did it

Go to solution
ken_maruu
Level 1
Level 1

‎08-16-2022 10:59 PM

Hi, there

ASA Ver: 9.16(2)7

ASDM Ver: 7.16(1)150

We have three administrative users who can use ASDM.

When one of them forces someone's user to logout.

Is there any way to check who did it?

Any advice would be appreciated

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sheraz.Salim
VIP
VIP
In response to ken_maruu

‎08-17-2022 06:57 AM

with Radius you can do authentication but you wont be able to check who gave when command. as TACACS is more robust and give you more insight of it.

with log are more to through the box (connection entries,tear down connection etc) but logs will not provide you who/when/what command are issues by rogue admin.

 

seem like in your network there is a lack of trust between all the admin access people (apologies if you dont like that).

please do not forget to rate.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎08-17-2022 12:22 AM

Maybe you need to co-related to Log, time of user kicked, and audit log who logged in to administration.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
ken_maruu
Level 1
Level 1
In response to balaji.bandi

‎08-17-2022 05:09 AM

Hi,balaji

Thank you for your answer.

How can I co-related to Log? 

If you know the command on ASA or setting change on ASDM, please let me know.

0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP

‎08-17-2022 02:27 AM

Unless otherwise if you implement TACACS authentication with Authorization and Accounting. ISE provide build in TACACS functionality.

you will have a central record who/when/how issued what command on ASA.

please do not forget to rate.

Go to solution
ken_maruu
Level 1
Level 1
In response to Sheraz.Salim

‎08-17-2022 05:06 AM

Hi,Sheraz

Thank you for your answer.

Could you please tell me what commands I need to configure on ASA?

Is it possible If I can see these log on ASDM?

0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to ken_maruu

‎08-17-2022 06:27 AM

@ken_maruu the first question is are you running Cisco Identity Service Engine (ISE) in your production network? if yes, you have to make sure you have license on ISE to use the TACACS.

 

Here check this link

I have attached a good document have look at it.

 

 

please do not forget to rate.
Preview file
870 KB

Go to solution
ken_maruu
Level 1
Level 1
In response to Sheraz.Salim

‎08-17-2022 06:47 AM

Thank you for the reply.

I’m not running ISE in my production network and I’m not using the TACACS either.

I’m using a third party appliance as the RADIUS.

Is there any way to check the log (when who what) by configuring on ASA or ASDM?

0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to ken_maruu

‎08-17-2022 06:57 AM

with Radius you can do authentication but you wont be able to check who gave when command. as TACACS is more robust and give you more insight of it.

with log are more to through the box (connection entries,tear down connection etc) but logs will not provide you who/when/what command are issues by rogue admin.

 

seem like in your network there is a lack of trust between all the admin access people (apologies if you dont like that).

please do not forget to rate.
0 Helpful

Go to solution
ken_maruu
Level 1
Level 1
In response to Sheraz.Salim

‎08-17-2022 07:33 AM

Unfortunately It seems like there is no way to check who forces user to logout in my production network.
I’ll consider using TACACS next time If I have an opportunity to build like this production network.

 

Thanks a lot.

0 Helpful
Customers Also Viewed These Support Documents