01-15-2015 11:21 AM
OK, I know this may be a crazy question but what are my options in starting to easily collect accounting type information on my VPN users. I am looking for information on things such as when they connected and or disconnected, how much data was transferred, what profile or group they connected to, failed log on attempts, etc.. Basically someway to see a historical collection of data displayed under when monitoring live VPN connection. I know a lot of this is in the log file but my log grows by an average of 350M a day.
Here is the issue I am trying to address. We have VPN access for our users. We have several profiles configured depending on things like is the user part of the sales force, marketing, IT, etc.. Are they connecting with a corporate asset or a personal asset? Are they connecting using the AnyConnect client or one of the SSL portals? Things like that. Management would now like a way to at least keep track of who connected when and how often they connected. I am not sure if I could get failed attempts or not but might be a nice feature though. We use AD authentication and security groups to validate that you have access to a specific profile so have been relying on parsing through the log file every so often to get who logged on and how many times but that is a very manual task.
I do not even know where to begin on a better way. It looks like the accounting stuff is more related to Radius authentication than AD but I could be missing something. Maybe we need to pass through radius from AD to be able to collect this type of information? Maybe there is someplace else to pass the log files to assist? Is there something on the ASA itself that will assist with this or is there a Cisco or third party product that could be integrated to assist with this? What are others out here doing to collect this and similar information? Surely there is a way to do this.
I just figured this would be a good place to start to see what our options are. I have a feeling that if there s not something that can assist then management will be having us scrap Cisco VPN and move to something else.
Brent
01-16-2015 04:52 AM
Brent,
Most of the info you're looking for is already present in accounting messages.
This is a snippet of example accounting stop message
AVP: l=6 t=Acct-Status-Type(40): Stop(2) Acct-Status-Type: Stop (2) AVP: l=6 t=Acct-Delay-Time(41): 2 Acct-Delay-Time: 2 AVP: l=6 t=Acct-Input-Octets(42): 5121 Acct-Input-Octets: 5121 AVP: l=6 t=Acct-Output-Octets(43): 127373 Acct-Output-Octets: 127373 AVP: l=10 t=Acct-Session-Id(44): 1CA00008 Acct-Session-Id: 1CA00008 AVP: l=6 t=Acct-Authentic(45): RADIUS(1) Acct-Authentic: RADIUS (1) AVP: l=6 t=Acct-Session-Time(46): 21 Acct-Session-Time: 21 AVP: l=6 t=Acct-Input-Packets(47): 54 Acct-Input-Packets: 54 AVP: l=6 t=Acct-Output-Packets(48): 131 Acct-Output-Packets: 131 AVP: l=6 t=Acct-Terminate-Cause(49): User-Request(1)
(in this case SSL)
If you don't want to filter/process your syslogs you'd need to rely on this.
You can keep accounting with LDAP/AD and just use RADIUS accounting if you chose to.
As to what type of endpoint it is, the only reasonable way I know how to extract this from vpn-sessiondb.
Where for anyconnect sessions you will have endpoint information.
Now accounting messages just provide the info about start and stop of a session, you'd need to rely on RADIUS server/app to provide reporting if that's what you're looking to do.
ACS is doing a pretty decent job of this if you're looking for Cisco.
Maybe also punt something to AAA portions of support forums if you're looking for other software.
My 2c.
M.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide