External User Accounting

Unanswered Question
Jan 20th, 2010

Hi,

We are implementing the Cisco VPN solution for the customer and using ACS for the accounting purposes.

1.       ASA 5520 is getting used for RA VPN

2.       ACS 4.2 (Solution Engine-1113) is getting used for user authentication, authorization and accounting.

3.       ACS is talking to RSA manager(7.1) and Active Directory (Windows 2003) for the user database and token verification related to two-factor authentication.

As the user database is external to ACS and is there in Active Directory, I am not getting the user name when they are getting logged in to the network and also it is not possible to do the accounting.

Customer is interested to get the accounting of the users getting logged in using RA VPN on the basis of the user name. At present we are getting the accounting details of the user on the basis of the IP Address which is getting assigned by ASA.

I could not find out any ways where we could provide the accounting on the username basis as the database is external, am I missing something ?

Please help.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jatin Katyal Wed, 01/20/2010 - 07:20

Hi,


It doesn't matter where user exits. If we have radius accounting enabled on the ASA and ACS. It will surely log the session with username. However make sure that you have selected the username under the logged attributes.


In order to check this go to system configuration > logging > radius accounting > click on configure > move the username under logged attributes table and try again.


Detailed steps:


To configure CiscoSecure ACS to perform RADIUS accounting using CSV,       perform these steps:

  1. In the navigation bar, click System             Configuration.

  2. Click Logging. The Logging Configuration page             appears.

  3. Select CSV RADIUS Accounting.

  4. Confirm that the Log to CSV RADIUS Accounting             report check box is selected. If it is not selected, select it             now.

  5. In the Select Attributes To Log table, make sure             that the RADIUS attributes you want to see in the RADIUS accounting log appear             in the Logged Attributes list. In addition to the standard             RADIUS attributes, there are several special logging attributes provided by             CiscoSecure ACS, such as Real Name, ExtDB Info, and Logged             Remotely.


Please let me know if that works.


HTH


Regards,

JK


Plz rate helpful posts-

santoshm_75 Fri, 01/22/2010 - 01:58

Hi,

I have done all the configuration changes what you have mention. But still ACS is showing unknown user in accouting details.

Please find the ACS accouting SNAP attached for your reference.

Actions

This Discussion