Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ACS question

Hi all

our customer has a vpn tunnel site-to-site with another company . The vpn is established between two routers and its working fine . The users in the customer site can login to a web server in the remote peer site using username & password through this tunnel . Our customer need to log the time that the users login to this web server.

Is the ACS do that or not ?? and how ??

if the ACS cannot do that , is there any other method can be used to log the users login??

waiting your replies.

regards

4 REPLIES

Re: ACS question

ACS is a Radius and Tacacs server. So the question would be, Can/does your web server support Radius/tacacs protocol ? If yes, then you can add the web server as a client on the ACS server, and configure your web server for Radius/tacacs accounting and send the accounting logs to ACS server.

I doubt this to be the case.

AFAIK, the web servers also have some logging feature/functionality. Check with the web server documentation, there must be some option to log the user logins/activity on the web server.

HTH

Regards,

Prem

Please rate if it helps!

New Member

Re: ACS question

Dear Prem

Thanks for your reply.

i want to tell you something that the web server isnot under our control .it is controlled by the peer company.So we need to log the users login to this server (using any method) without changing anything in the web server settings.

i mean we need to do that from our side.

Also if the ACS cannot do that , is there any other S/W do that?

regards

Re: ACS question

I have not tried this, but just an idea, you can try this out.

create an acl, something like,

access-list auth permit host .....

aaa authentication match auth

aaa accounting match auth

But this will add an Added authentication, before users go to destination web server,

Please test this before applying it.

You can also have,

access-list auth permit host .....

aaa accounting match auth

That is accounting alone, but not sure what information you may get in this. But you can give this a try and see.

Regards,

Prem

Please rate if it helps!

Re: ACS question

Found this, might be helpful,

http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/fwaaa.html#wp1043741

The security appliance can send accounting information to a RADIUS or TACACS+ server about any TCP or UDP traffic that passes through the security appliance. If that traffic is also authenticated, then the AAA server can maintain accounting information by username. If the traffic is not authenticated, the AAA server can maintain accounting information by IP address. Accounting information includes when sessions start and stop, username, the number of bytes that pass through the security appliance for the session, the service used, and the duration of each session.

Regards,

Prem

Please rate if helps!

124
Views
0
Helpful
4
Replies
CreatePlease to create content