correlating VPN assigned IP address with particular users - CSACS and ASA

Unanswered Question
Apr 16th, 2008
User Badges:

We have an ASA running 7.0(6)8 and use CSACS v4.1

For remote access, we have VPN groups set-up on the ASA. Our remote users connect to our network, are authenticated via the CSACS server, then are assigned an IP address from the relevant address pool on the ASA.

At the moment, I can use "show uauth" on the ASA to determine which user has been assigned a particular IP address, as long as they are currently connected.

But, what I'd like to be able to do is determine which user had an IP address at a particular time in the past.

E.g. if our device logs show activity from a particular IP address, I'd like to be able to trace back to find out which user had been assigned that IP address at the time.

Can anyone suggest how I might achieve this? I'm guessing that I need to set-up some sort of accounting between the ASA and the CSACS server but I'm not really sure what exactly is required.

Any help/advice would be appreciated. Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
rochopra Wed, 04/16/2008 - 07:17
User Badges:
  • Cisco Employee,

do start-stop network accounting on ASA for vpn traffic.

that will help you with the accounting of users and ip addresses on ACS.

Also i will recomend you to create address pool on ACS if possible.

If not, configure aaa accounting delay-start on ASA. Else accounting start packet will not contain the ip address assigned.


mitchen Wed, 04/16/2008 - 08:00
User Badges:

hi, thanks for the advice, that sounds good.

Do you know the exact commands required to achieve this on the ASA? It doesn't seem to have the same set of aaa commands as found on e.g. an IOS router so I'm not entirely sure what to configure.

E.g. on my ASA, the aaa accounting options are:

aaa accounting ?

configure mode commands/options:

command Specify this keyword to allow command accounting to be configured

for all administrators on all consoles

enable Enable

exclude Exclude the service, local and foreign network which needs to be

authenticated, authorized, and accounted

include Include the service, local and foreign network which needs to be

authenticated, authorized, and accounted

match Specify this keyword to configure an ACL to match

serial Serial

ssh SSH

telnet Telnet

mitchen Fri, 04/18/2008 - 03:37
User Badges:

Hmmm, thanks - I've made some progress in that I now have the VPN users appearing in the TACACS accounting logs (after adding accounting-server-group within the tunnel-group attributes, as you suggested) but it doesn't actually tell me what IP address has been assigned to the user.

I noticed in your previous response you suggested using "aaa accounting delay-start" in order to get the assigned IP address but I still can't see how to configure this on the ASA?

Can you offer any further advice?

Thanks for all your help so far!


This Discussion