Tracking / logging / accounting information on users using VPN

bberry · ‎01-15-2015

OK, I know this may be a crazy question but what are my options in starting to easily collect accounting type information on my VPN users. I am looking for information on things such as when they connected and or disconnected, how much data was transferred, what profile or group they connected to, failed log on attempts, etc.. Basically someway to see a historical collection of data displayed under when monitoring live VPN connection. I know a lot of this is in the log file but my log grows by an average of 350M a day.

Here is the issue I am trying to address. We have VPN access for our users. We have several profiles configured depending on things like is the user part of the sales force, marketing, IT, etc.. Are they connecting with a corporate asset or a personal asset? Are they connecting using the AnyConnect client or one of the SSL portals? Things like that. Management would now like a way to at least keep track of who connected when and how often they connected. I am not sure if I could get failed attempts or not but might be a nice feature though. We use AD authentication and security groups to validate that you have access to a specific profile so have been relying on parsing through the log file every so often to get who logged on and how many times but that is a very manual task.

I do not even know where to begin on a better way. It looks like the accounting stuff is more related to Radius authentication than AD but I could be missing something. Maybe we need to pass through radius from AD to be able to collect this type of information? Maybe there is someplace else to pass the log files to assist? Is there something on the ASA itself that will assist with this or is there a Cisco or third party product that could be integrated to assist with this? What are others out here doing to collect this and similar information? Surely there is a way to do this.

I just figured this would be a good place to start to see what our options are. I have a feeling that if there s not something that can assist then management will be having us scrap Cisco VPN and move to something else.

Brent

Marcin Latosiewicz · ‎01-16-2015

Brent,

Most of the info you're looking for is already present in accounting messages.

This is a snippet of example accounting stop message

       AVP: l=6  t=Acct-Status-Type(40): Stop(2)
           Acct-Status-Type: Stop (2)
       AVP: l=6  t=Acct-Delay-Time(41): 2
           Acct-Delay-Time: 2
       AVP: l=6  t=Acct-Input-Octets(42): 5121
           Acct-Input-Octets: 5121
       AVP: l=6  t=Acct-Output-Octets(43): 127373
           Acct-Output-Octets: 127373
       AVP: l=10  t=Acct-Session-Id(44): 1CA00008
           Acct-Session-Id: 1CA00008
       AVP: l=6  t=Acct-Authentic(45): RADIUS(1)
           Acct-Authentic: RADIUS (1)
       AVP: l=6  t=Acct-Session-Time(46): 21
           Acct-Session-Time: 21
       AVP: l=6  t=Acct-Input-Packets(47): 54
           Acct-Input-Packets: 54
       AVP: l=6  t=Acct-Output-Packets(48): 131
           Acct-Output-Packets: 131
       AVP: l=6  t=Acct-Terminate-Cause(49): User-Request(1)

(in this case SSL)

If you don't want to filter/process your syslogs you'd need to rely on this.

You can keep accounting with LDAP/AD and just use RADIUS accounting if you chose to.

As to what type of endpoint it is, the only reasonable way I know how to extract this from vpn-sessiondb.

Where for anyconnect sessions you will have endpoint information.

Now accounting messages just provide the info about start and stop of a session, you'd need to rely on RADIUS server/app to provide reporting if that's what you're looking to do.

ACS is doing a pretty decent job of this if you're looking for Cisco.

Maybe also punt something to AAA portions of support forums if you're looking for other software.

My 2c.

M.