08-26-2008 06:42 AM - edited 03-10-2019 04:03 PM
Hi all
our customer has a vpn tunnel site-to-site with another company . The vpn is established between two routers and its working fine . The users in the customer site can login to a web server in the remote peer site using username & password through this tunnel . Our customer need to log the time that the users login to this web server.
Is the ACS do that or not ?? and how ??
if the ACS cannot do that , is there any other method can be used to log the users login??
waiting your replies.
regards
08-26-2008 06:49 AM
ACS is a Radius and Tacacs server. So the question would be, Can/does your web server support Radius/tacacs protocol ? If yes, then you can add the web server as a client on the ACS server, and configure your web server for Radius/tacacs accounting and send the accounting logs to ACS server.
I doubt this to be the case.
AFAIK, the web servers also have some logging feature/functionality. Check with the web server documentation, there must be some option to log the user logins/activity on the web server.
HTH
Regards,
Prem
Please rate if it helps!
08-26-2008 07:34 AM
Dear Prem
Thanks for your reply.
i want to tell you something that the web server isnot under our control .it is controlled by the peer company.So we need to log the users login to this server (using any method) without changing anything in the web server settings.
i mean we need to do that from our side.
Also if the ACS cannot do that , is there any other S/W do that?
regards
08-26-2008 07:54 AM
I have not tried this, but just an idea, you can try this out.
create an acl, something like,
access-list auth permit
aaa authentication match auth
aaa accounting match auth
But this will add an Added authentication, before users go to destination web server,
Please test this before applying it.
You can also have,
access-list auth permit
aaa accounting match auth
That is accounting alone, but not sure what information you may get in this. But you can give this a try and see.
Regards,
Prem
Please rate if it helps!
08-26-2008 08:08 AM
Found this, might be helpful,
http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/fwaaa.html#wp1043741
The security appliance can send accounting information to a RADIUS or TACACS+ server about any TCP or UDP traffic that passes through the security appliance. If that traffic is also authenticated, then the AAA server can maintain accounting information by username. If the traffic is not authenticated, the AAA server can maintain accounting information by IP address. Accounting information includes when sessions start and stop, username, the number of bytes that pass through the security appliance for the session, the service used, and the duration of each session.
Regards,
Prem
Please rate if helps!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide