ACS problem

Answered Question
Jun 21st, 2007

After Authentication via switch to ACS when i check Repoert and activity i can see the user pass all the step but it does not appear or register into Logged-in Users but in other part like Passed Authentications or RADIUS Accounting i can see the deteail of user information but in Logged-in Users nothing show.

I have this problem too.
0 votes
Correct Answer by Premdeep Banga about 9 years 7 months ago

Hi Hamed,

That is enabled by default in Radius/Tacacs+ Accounting Logs. "NAS IP Address" field.

This is the field which tells that which Network Device has connected using the Radius server.

Regards,

Prem

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (7 ratings)
Loading.
Premdeep Banga Thu, 06/21/2007 - 03:55

Hi,

Logged in users reports completely depends on START/STOP packet sequence.

For the you need to have accounting configured.

As in your case, I would suppose its for Administration, so you would require,

aaa accounting exec default start-stop......

If we are using RADIUS as protocol, then you should see START/STOP details in RADIUS Accounting section.

The user will only show up in Logged in users section if ACS has only received START accounting packet.

As soon as it gets the STOP accounting packet for the same session, ACS will consider it logged out, and it wont be shown in Logged in users report.

Logged-In Users:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/lgsrpts.htm#wp626704

Regards,

Prem

hamedyazdigss Fri, 06/22/2007 - 05:07

Dear Sir

Thanks for your hellping and would you please help me to know if i want to know which ip directlly connect to RADIUS server wihich of option in the Logged in users reports should be enable i mean that if i want to add a cloumn in the RADIUS Accounting csv to shows directly which IP Address is connencted which attribut should be enable from system configuration.

Best regards

Hamed

Correct Answer
Premdeep Banga Fri, 06/22/2007 - 07:31

Hi Hamed,

That is enabled by default in Radius/Tacacs+ Accounting Logs. "NAS IP Address" field.

This is the field which tells that which Network Device has connected using the Radius server.

Regards,

Prem

hamedyazdigss Fri, 06/22/2007 - 11:09

Hi Perm

Thanks for your kind reply as I understand by "NAS IP Address" we can see the switch IP address that we connected to RADUS server but I want to show a specific Client that connect to it via switch. For example when I connect to server by my computer I want to show my computer IP address in RADIUS Accounting CVS.

Regards

Hamed

Premdeep Banga Fri, 06/22/2007 - 11:26

Hi,

"Calling-Station-Id", but this will only appear if NAS device is sending the RADIUS IETF attribute # 31.

Regards,

Prem

hamedyazdigss Fri, 06/22/2007 - 12:20

Dear Sir

Thank you for your helping. As you mentioned by "Calling-Station-Id", we can see the IP address of client but just when NAS device is sending the RADIUS IETF attribute # 31.how can I make sure NAS device is sending that attribute, if not how can I active it. It is Considerable that now in RADIUS Accounting CVS logs I can see a switch IP address that refer to as NAS. I was looking so much to find a reference that defined attribute meaning but I could not find complete references, would please let me know your comment how I can understand the exact meaning of the attribute.

Best Regards

Hamed

Premdeep Banga Fri, 06/22/2007 - 12:32

Hi Hamed,

Though normally all devices using Radius sends this attribute (#31), if it is not being sent, then ACS wont be able to log. This was my only concern.

As for detail on Radius attribute # 31, please refer,

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/a_radatr.htm#wp140612

And RFC of RADIUS:

http://www.ietf.org/rfc/rfc2865.txt

Section "5.31. Calling-Station-Id"

Regards,

Prem

If this resolves your query, please mark this thread as solved, so that other can benefit from it.

hamedyazdigss Mon, 06/25/2007 - 01:25

Dear Sir

as you mentioned i added "Calling-Station-Id", into the report table to show me the IP addresse of client which connect to the RADIUS server but just it monitor MAC addresse of Client. i am looking for a way that it make me able to monitor the the Cilent ip adresse. would you please let me know your comment about this situation.

best regards

Hamed

Premdeep Banga Mon, 06/25/2007 - 04:01

Hi Hamed,

I am not sure if you have tested this, please take a look at the attached document. The highlighted IP address are the stations from where I accessed the devices.

Regards,

Prem

Attachment: 
hamedyazdigss Mon, 06/25/2007 - 08:55

Hi dear Mr. Prem

Thanks from your kind reply. I have never tested Caller-ID, but when I looked at Caller-ID.doc I saw that in that picture calling-station-id shows the IP address of a client but I do not know why in my system it shows MAC address of client that connected to the RADIUS server would you please let me know your comment and I want to know In order to active Caller-ID does it need to active other attribute.

Best regards

Hamed

Premdeep Banga Mon, 06/25/2007 - 09:11

Hi Hamed,

It depends on what you are using it for. If you are doing telnet/ssh, then you'll get the IP address. If you are doing something as PEAP, EAP-TLS i.e EAP, then you'll get MAC address.

Commands that I had on my test switch,

aaa new-model

radius-server host x.x.x.x key

aaa authentication login default group radius local

aaa accounting exec default start-stop group radius

Regards,

Prem

hamedyazdigss Mon, 06/25/2007 - 10:35

Hi dear Mr. Prem

Billion thanks for helping me. As you mentioned it is important which service I consider. I am using it for PEAP. And when I check my switch configurations just I do not defined ShareKey. I want to know in this case it is important to defined it or no. and as you know that I am using it for PEAP by Caller-ID can I see Client IP address or no. I will be happy if you let me know your comments.

Regards

Hamed

Premdeep Banga Mon, 06/25/2007 - 11:29

Hi Hamed,

I think in your configuration, you have command,

radius-server key .....

and if PEAP authentication is working you do not need to change anything.

If we are using PEAP, we'll get MAC address we wont be able to get the IP address.

Regards,

Prem

hamedyazdigss Mon, 06/25/2007 - 17:15

Hi Dear Mr. Prem

Thank you for your kind reply. As you mentioned because I use PEAP, I am not able to get client IP address just I can get MAC address. If I understand in correct way please confirm me. if I use this method for authentication in our LAN with different broadcasting route in this situation I want to know, am I able to see MAC Address of different client that connect to server from different places with different broadcasting route or no if not what is your idea about this situation.

Best Regards

Hamed

hamedyazdigss Mon, 07/02/2007 - 23:58

Hi Dear Mr. Prem

i hope you remmber me.this time i try to connect to ACS via router and i try to config router and using PAP method would you please let me know your comment about my configuration and also i do not know what should i apply for ethernet port.

aaa new-model

!

!

radius-server host 123.45.1.2

radius-server key xxx

aaa authentication ppp dialins group radius local

aaa authorization exec default local

aaa authorization network default group radius local

aaa accounting network default start-stop group radius

Regards

Hamed

Premdeep Banga Tue, 07/03/2007 - 05:50

you don?t have to apply anything on the port. If you want AAA for access to switch (for administration, so that you can run commands on it), add this command,

aaa authentication login default group radius local

no aaa authorization exec default local

And please test everything out on test bed, before going for production implementation.

Regards,

Prem

hamedyazdigss Tue, 02/12/2008 - 05:15

Dear Sir

Long time ago I asked you which is possible to show the IP address of end client on the ASC and you sent me a attach that showed the IP address of end client on the Caller-ID but unfortunately I have tried many things and just it can show me MAC address of end client . I want to know should I configure some specific command to my switch or specific configuration to my ACS. If you let me know your comment I will be happy.

With best regards

Hamed

hamedyazdigss Fri, 06/22/2007 - 12:29

Dear Sir

Thank you for your helping. As you mentioned by "Calling-Station-Id", we can see the IP address of client but just when NAS device is sending the RADIUS IETF attribute # 31.how can I make sure NAS device is sending that attribute, if not how can I active it. It is Considerable that now in RADIUS Accounting CVS logs I can see a switch IP address that refer to as NAS. I was looking so much to find a reference that defined attribute meaning but I could not find complete references, would please let me know your comment how I can understand the exact meaning of the attribute.

Best Regards

Hamed

hamedyazdigss Wed, 12/12/2007 - 04:22

Dear Sir

I have problem, I do not know why Instead of IP address of end client in the "Calling-Station-Id", I can see MAC address of end client would you please let me know your comment.

Regards

mhyazdi

xius-bcgi-2007 Thu, 12/20/2007 - 05:55

Hi mhyazdi ,

Can you share the configuration so that we can see where we are going wrong did you try using ietf format or send nas port details mac only command.

Thanks,

rochopra Thu, 06/21/2007 - 05:24

Agree with pbanga following command should help

aaa accounting exec default start-stop group radius

hamedyazdigss Sun, 12/02/2007 - 10:33

Dear Sir

I have tried to connect to ACS via Access Point, and I apply needed configuration. But via My Computer when I want to connect to Access point I have to wait to ask me username and password and after that authenticate my username and password and it asked but I do not know why it does not connect and continually try to ask me a username and password

Would you please let me know your comment?

Best regards

mhyazdi

Actions

This Discussion