Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Certificate CN as Accounting User-Name

Hi:

I have DMVPN peers set to use RSA signatures for setting up IKE phase 1.

Is it possible to get the certificate common name (CN=) to show up in AAA accounting records?

I have not been able to find the appropriate PKI AAA commands to do this.

Currently this is all I get and the IP address (isakmp-initator-ip=) is an outside NAT so it is not a valid means to identify the peer in logs.

Dec 13 16:37:43.819 EST: RADIUS/ENCODE(000000BA):Orig. component type = VPN IPSEC

Dec 13 16:37:43.819 EST: RADIUS(000000BA): Config NAS IP: 192.168.66.129

Dec 13 16:37:43.819 EST: RADIUS(000000BA): Config NAS IPv6:

Dec 13 16:37:43.819 EST: RADIUS(000000BA): sending

Dec 13 16:37:43.819 EST: RADIUS(000000BA): Send Accounting-Request to 192.168.112.157:1646 id 1646/5, len 160

Dec 13 16:37:43.819 EST: RADIUS:  authenticator A2 4E 46 69 10 D0 18 F4 - 44 79 1C 98 3B 5C 9C DA

Dec 13 16:37:43.819 EST: RADIUS:  Acct-Session-Id     [44]  10  "000000B0"

Dec 13 16:37:43.819 EST: RADIUS:  Vendor, Cisco       [26]  41

Dec 13 16:37:43.823 EST: RADIUS:   Cisco AVpair       [1]   35  "isakmp-initator-ip=148.36.85.254"

Dec 13 16:37:43.823 EST: RADIUS:  Vendor, Cisco       [26]  36

Dec 13 16:37:43.823 EST: RADIUS:   Cisco AVpair       [1]   30  "connect-progress=No Progress"

Dec 13 16:37:43.823 EST: RADIUS:  Acct-Authentic      [45]  6   Local                     [2]

Dec 13 16:37:43.823 EST: RADIUS:  User-Name           [1]   2   ""

Dec 13 16:37:43.823 EST: RADIUS:  Acct-Status-Type    [40]  6   Start                     [1]

Dec 13 16:37:43.823 EST: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]

Dec 13 16:37:43.823 EST: RADIUS:  NAS-Port            [5]   6   0

Dec 13 16:37:43.823 EST: RADIUS:  NAS-Port-Id         [87]  15  "78.18.176.29"

Dec 13 16:37:43.823 EST: RADIUS:  NAS-IP-Address      [4]   6   192.168.66.129

Dec 13 16:37:43.823 EST: RADIUS:  Acct-Delay-Time     [41]  6   0

Dec 13 16:37:43.823 EST: RADIUS(000000BA): Sending a IPv4 Radius Packet

Dec 13 16:37:43.827 EST: RADIUS(000000BA): Started 2 sec timeout

Dec 13 16:37:43.831 EST: ISAKMP (1535): received packet from 148.36.85.254 dport 4500 sport 4500 Global (R) QM_IDLE

Everyone's tags (4)
2 REPLIES

Certificate CN as Accounting User-Name

You will not be able to make the two work. You will have to use aggressive mode with psk if you want radius authentication. Here is an article that will help

https://supportforums.cisco.com/thread/2184936

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

Re: Certificate CN as Accounting User-Name

Thanks, authentication is already working.  My question is about getting accounting records with the certificate CN showing up as the user-name in the accounting start record.

168
Views
0
Helpful
2
Replies
CreatePlease login to create content