Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4100
Views
0
Helpful
5
Replies

Logging VPN Authentication Attempts

Peter Sheridan
Level 1
Level 1

‎08-03-2013 06:44 AM

Hello,

I've got a client who wants to log and be emailed about each successful/failed Cisco Easy VPN Login attempt.

Can anyone point me in the right direction of doing this?

I assume it will need to be done with something like syslog but just not sure where to start looking.

Cheers

Peter Sheridan

Labels:
0 Helpful
5 Replies 5

johnlloyd_13
Level 9
Level 9

‎08-03-2013 07:30 AM

Hi Peter,

You'll need the 'crypto logging session' and 'crypto logging ezvpn' commands enabled aside from the normal syslog config or setup.

Sent from Cisco Technical Support iPhone App

0 Helpful

Peter Sheridan
Level 1
Level 1
In response to johnlloyd_13

‎08-03-2013 04:50 PM

Thanks John.

After that happens, I assume something will need to be configured on the syslog server to email a user based on certain results?

0 Helpful

johnlloyd_13
Level 9
Level 9
In response to Peter Sheridan

‎08-03-2013 05:07 PM

Yes, if your syslog server supports such customized feature.

Sent from Cisco Technical Support iPhone App

0 Helpful

Peter Sheridan
Level 1
Level 1
In response to johnlloyd_13

‎08-03-2013 05:12 PM

No Worries - Leave it with me and i'll post back my results

0 Helpful

Peter Sheridan
Level 1
Level 1

‎12-31-2014 08:54 PM

I know this post is a year old but I have recently had to revisit this so thought I would post back my results.

What I found was that the commands 'crypto logging session' and 'crypto logging ezvpn', were not working. My understanding is that my AnyConnect system is using SSL VPN, not IPSEC, hence that is why it was not working.

I did a bit of googling and couldn't find any logging options for SSL VPN/Anyconnect. There were plenty of debug options though.

After turning on debugging for aaa using the following command, 'debug webvpn aaa', the messages below were generated.

WV-AAA: AAA authentication request sent for user: "demo"
WV-AAA: AAA Authentication Passed!
WV-AAA: AAA authentication request sent for user: "demo"
WV-AAA: AAA Authentication Failed!

This worked great, but since it was using the debug option, I would loose the logging after a reload.

Then I came across these commands

login on-failure log
login on-success log

These are more of a global option, that log not just success/failures for Webvpn but also things like SSH, Telnet sessions etc.

%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: demo] [Source: UNKNOWN] [localport: 22] [Reason: Login Authentication Failed]
%SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: demo] [Source: 1.1.1.1] [localport: 443]
%SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: demo] [Source: 1.1.1.1] [localport: 443] [Reason: Login Authentication Failed]

Perfect! A summary of the config is below. It may not be the best way to do it, but it works for me.

!
login on-failure log
login on-success log
!         
logging trap debugging
logging 192.168.100.10
!

service timestamps debug datetime localtime
service timestamps log datetime localtime

0 Helpful
Customers Also Viewed These Support Documents