Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
916
Views
3
Helpful
4
Replies

correlating VPN assigned IP address with particular users - CSACS and ASA

mitchen
Level 2
Level 2

‎04-16-2008 03:50 AM - edited ‎03-10-2019 03:47 PM

We have an ASA running 7.0(6)8 and use CSACS v4.1

For remote access, we have VPN groups set-up on the ASA. Our remote users connect to our network, are authenticated via the CSACS server, then are assigned an IP address from the relevant address pool on the ASA.

At the moment, I can use "show uauth" on the ASA to determine which user has been assigned a particular IP address, as long as they are currently connected.

But, what I'd like to be able to do is determine which user had an IP address at a particular time in the past.

E.g. if our device logs show activity from a particular IP address, I'd like to be able to trace back to find out which user had been assigned that IP address at the time.

Can anyone suggest how I might achieve this? I'm guessing that I need to set-up some sort of accounting between the ASA and the CSACS server but I'm not really sure what exactly is required.

Any help/advice would be appreciated. Thanks.

Labels:
0 Helpful
4 Replies 4

rochopra
Cisco Employee
Cisco Employee

‎04-16-2008 07:17 AM

do start-stop network accounting on ASA for vpn traffic.

that will help you with the accounting of users and ip addresses on ACS.

Also i will recomend you to create address pool on ACS if possible.

If not, configure aaa accounting delay-start on ASA. Else accounting start packet will not contain the ip address assigned.

:Rohit

mitchen
Level 2
Level 2
In response to rochopra

‎04-16-2008 08:00 AM

hi, thanks for the advice, that sounds good.

Do you know the exact commands required to achieve this on the ASA? It doesn't seem to have the same set of aaa commands as found on e.g. an IOS router so I'm not entirely sure what to configure.

E.g. on my ASA, the aaa accounting options are:

aaa accounting ?

configure mode commands/options:

command Specify this keyword to allow command accounting to be configured

for all administrators on all consoles

enable Enable

exclude Exclude the service, local and foreign network which needs to be

authenticated, authorized, and accounted

include Include the service, local and foreign network which needs to be

authenticated, authorized, and accounted

match Specify this keyword to configure an ACL to match

serial Serial

ssh SSH

telnet Telnet

0 Helpful

rochopra
Cisco Employee
Cisco Employee
In response to mitchen

‎04-16-2008 08:14 AM

accounting server has to be configured within the tunnel-group general-attributes.

command will be :

accounting-server-group groupname

check following link for mote info:

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/vpngrp.html

: Rohit

0 Helpful

mitchen
Level 2
Level 2
In response to rochopra

‎04-18-2008 03:37 AM

Hmmm, thanks - I've made some progress in that I now have the VPN users appearing in the TACACS accounting logs (after adding accounting-server-group within the tunnel-group attributes, as you suggested) but it doesn't actually tell me what IP address has been assigned to the user.

I noticed in your previous response you suggested using "aaa accounting delay-start" in order to get the assigned IP address but I still can't see how to configure this on the ASA?

Can you offer any further advice?

Thanks for all your help so far!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents