cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1419
Views
30
Helpful
22
Replies

ACS problem

hamedyazdigss
Level 1
Level 1

After Authentication via switch to ACS when i check Repoert and activity i can see the user pass all the step but it does not appear or register into Logged-in Users but in other part like Passed Authentications or RADIUS Accounting i can see the deteail of user information but in Logged-in Users nothing show.

1 Accepted Solution

Accepted Solutions

Hi Hamed,

That is enabled by default in Radius/Tacacs+ Accounting Logs. "NAS IP Address" field.

This is the field which tells that which Network Device has connected using the Radius server.

Regards,

Prem

View solution in original post

22 Replies 22

Premdeep Banga
Level 7
Level 7

Hi,

Logged in users reports completely depends on START/STOP packet sequence.

For the you need to have accounting configured.

As in your case, I would suppose its for Administration, so you would require,

aaa accounting exec default start-stop......

If we are using RADIUS as protocol, then you should see START/STOP details in RADIUS Accounting section.

The user will only show up in Logged in users section if ACS has only received START accounting packet.

As soon as it gets the STOP accounting packet for the same session, ACS will consider it logged out, and it wont be shown in Logged in users report.

Logged-In Users:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/lgsrpts.htm#wp626704

Regards,

Prem

Dear Sir

Thanks for your hellping and would you please help me to know if i want to know which ip directlly connect to RADIUS server wihich of option in the Logged in users reports should be enable i mean that if i want to add a cloumn in the RADIUS Accounting csv to shows directly which IP Address is connencted which attribut should be enable from system configuration.

Best regards

Hamed

Hi Hamed,

That is enabled by default in Radius/Tacacs+ Accounting Logs. "NAS IP Address" field.

This is the field which tells that which Network Device has connected using the Radius server.

Regards,

Prem

Hi Perm

Thanks for your kind reply as I understand by "NAS IP Address" we can see the switch IP address that we connected to RADUS server but I want to show a specific Client that connect to it via switch. For example when I connect to server by my computer I want to show my computer IP address in RADIUS Accounting CVS.

Regards

Hamed

Hi,

"Calling-Station-Id", but this will only appear if NAS device is sending the RADIUS IETF attribute # 31.

Regards,

Prem

Dear Sir

Thank you for your helping. As you mentioned by "Calling-Station-Id", we can see the IP address of client but just when NAS device is sending the RADIUS IETF attribute # 31.how can I make sure NAS device is sending that attribute, if not how can I active it. It is Considerable that now in RADIUS Accounting CVS logs I can see a switch IP address that refer to as NAS. I was looking so much to find a reference that defined attribute meaning but I could not find complete references, would please let me know your comment how I can understand the exact meaning of the attribute.

Best Regards

Hamed

Hi Hamed,

Though normally all devices using Radius sends this attribute (#31), if it is not being sent, then ACS wont be able to log. This was my only concern.

As for detail on Radius attribute # 31, please refer,

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/a_radatr.htm#wp140612

And RFC of RADIUS:

http://www.ietf.org/rfc/rfc2865.txt

Section "5.31. Calling-Station-Id"

Regards,

Prem

If this resolves your query, please mark this thread as solved, so that other can benefit from it.

Dear Sir

as you mentioned i added "Calling-Station-Id", into the report table to show me the IP addresse of client which connect to the RADIUS server but just it monitor MAC addresse of Client. i am looking for a way that it make me able to monitor the the Cilent ip adresse. would you please let me know your comment about this situation.

best regards

Hamed

Hi Hamed,

I am not sure if you have tested this, please take a look at the attached document. The highlighted IP address are the stations from where I accessed the devices.

Regards,

Prem

Hi dear Mr. Prem

Thanks from your kind reply. I have never tested Caller-ID, but when I looked at Caller-ID.doc I saw that in that picture calling-station-id shows the IP address of a client but I do not know why in my system it shows MAC address of client that connected to the RADIUS server would you please let me know your comment and I want to know In order to active Caller-ID does it need to active other attribute.

Best regards

Hamed

Hi Hamed,

It depends on what you are using it for. If you are doing telnet/ssh, then you'll get the IP address. If you are doing something as PEAP, EAP-TLS i.e EAP, then you'll get MAC address.

Commands that I had on my test switch,

aaa new-model

radius-server host x.x.x.x key

aaa authentication login default group radius local

aaa accounting exec default start-stop group radius

Regards,

Prem

Hi dear Mr. Prem

Billion thanks for helping me. As you mentioned it is important which service I consider. I am using it for PEAP. And when I check my switch configurations just I do not defined ShareKey. I want to know in this case it is important to defined it or no. and as you know that I am using it for PEAP by Caller-ID can I see Client IP address or no. I will be happy if you let me know your comments.

Regards

Hamed

Hi Hamed,

I think in your configuration, you have command,

radius-server key .....

and if PEAP authentication is working you do not need to change anything.

If we are using PEAP, we'll get MAC address we wont be able to get the IP address.

Regards,

Prem

Hi Dear Mr. Prem

Thank you for your kind reply. As you mentioned because I use PEAP, I am not able to get client IP address just I can get MAC address. If I understand in correct way please confirm me. if I use this method for authentication in our LAN with different broadcasting route in this situation I want to know, am I able to see MAC Address of different client that connect to server from different places with different broadcasting route or no if not what is your idea about this situation.

Best Regards

Hamed

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: