Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
487
Views
0
Helpful
4
Replies

ACS question

mohamed_makled
Level 1
Level 1

‎08-26-2008 06:42 AM - edited ‎03-10-2019 04:03 PM

Hi all

our customer has a vpn tunnel site-to-site with another company . The vpn is established between two routers and its working fine . The users in the customer site can login to a web server in the remote peer site using username & password through this tunnel . Our customer need to log the time that the users login to this web server.

Is the ACS do that or not ?? and how ??

if the ACS cannot do that , is there any other method can be used to log the users login??

waiting your replies.

regards

Labels:
0 Helpful
4 Replies 4

Premdeep Banga
Level 7
Level 7

‎08-26-2008 06:49 AM

ACS is a Radius and Tacacs server. So the question would be, Can/does your web server support Radius/tacacs protocol ? If yes, then you can add the web server as a client on the ACS server, and configure your web server for Radius/tacacs accounting and send the accounting logs to ACS server.

I doubt this to be the case.

AFAIK, the web servers also have some logging feature/functionality. Check with the web server documentation, there must be some option to log the user logins/activity on the web server.

HTH

Regards,

Prem

Please rate if it helps!

0 Helpful

mohamed_makled
Level 1
Level 1
In response to Premdeep Banga

‎08-26-2008 07:34 AM

Dear Prem

Thanks for your reply.

i want to tell you something that the web server isnot under our control .it is controlled by the peer company.So we need to log the users login to this server (using any method) without changing anything in the web server settings.

i mean we need to do that from our side.

Also if the ACS cannot do that , is there any other S/W do that?

regards

0 Helpful

Premdeep Banga
Level 7
Level 7
In response to mohamed_makled

‎08-26-2008 07:54 AM

I have not tried this, but just an idea, you can try this out.

create an acl, something like,

access-list auth permit host .....

aaa authentication match auth

aaa accounting match auth

But this will add an Added authentication, before users go to destination web server,

Please test this before applying it.

You can also have,

access-list auth permit host .....

aaa accounting match auth

That is accounting alone, but not sure what information you may get in this. But you can give this a try and see.

Regards,

Prem

Please rate if it helps!

0 Helpful

Premdeep Banga
Level 7
Level 7
In response to Premdeep Banga

‎08-26-2008 08:08 AM

Found this, might be helpful,

http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/fwaaa.html#wp1043741

The security appliance can send accounting information to a RADIUS or TACACS+ server about any TCP or UDP traffic that passes through the security appliance. If that traffic is also authenticated, then the AAA server can maintain accounting information by username. If the traffic is not authenticated, the AAA server can maintain accounting information by IP address. Accounting information includes when sessions start and stop, username, the number of bytes that pass through the security appliance for the session, the service used, and the duration of each session.

Regards,

Prem

Please rate if helps!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents