08-16-2022 10:59 PM
Hi, there
ASA Ver: 9.16(2)7
ASDM Ver: 7.16(1)150
We have three administrative users who can use ASDM.
When one of them forces someone's user to logout.
Is there any way to check who did it?
Any advice would be appreciated
Solved! Go to Solution.
08-17-2022 06:57 AM
with Radius you can do authentication but you wont be able to check who gave when command. as TACACS is more robust and give you more insight of it.
with log are more to through the box (connection entries,tear down connection etc) but logs will not provide you who/when/what command are issues by rogue admin.
seem like in your network there is a lack of trust between all the admin access people (apologies if you dont like that).
08-17-2022 12:22 AM
Maybe you need to co-related to Log, time of user kicked, and audit log who logged in to administration.
08-17-2022 05:09 AM
Hi,balaji
Thank you for your answer.
How can I co-related to Log?
If you know the command on ASA or setting change on ASDM, please let me know.
08-17-2022 02:27 AM
Unless otherwise if you implement TACACS authentication with Authorization and Accounting. ISE provide build in TACACS functionality.
you will have a central record who/when/how issued what command on ASA.
08-17-2022 05:06 AM
Hi,Sheraz
Thank you for your answer.
Could you please tell me what commands I need to configure on ASA?
Is it possible If I can see these log on ASDM?
08-17-2022 06:27 AM
@ken_maruu the first question is are you running Cisco Identity Service Engine (ISE) in your production network? if yes, you have to make sure you have license on ISE to use the TACACS.
Here check this link
I have attached a good document have look at it.
08-17-2022 06:47 AM
Thank you for the reply.
I’m not running ISE in my production network and I’m not using the TACACS either.
I’m using a third party appliance as the RADIUS.
Is there any way to check the log (when who what) by configuring on ASA or ASDM?
08-17-2022 06:57 AM
with Radius you can do authentication but you wont be able to check who gave when command. as TACACS is more robust and give you more insight of it.
with log are more to through the box (connection entries,tear down connection etc) but logs will not provide you who/when/what command are issues by rogue admin.
seem like in your network there is a lack of trust between all the admin access people (apologies if you dont like that).
08-17-2022 07:33 AM
Unfortunately It seems like there is no way to check who forces user to logout in my production network.
I’ll consider using TACACS next time If I have an opportunity to build like this production network.
Thanks a lot.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide