Our ASA firewall is configured with IP address pools for remote access.
Remote users connect over VPN, are authenticated against a CSACS/RSA database and then assigned an address from the appropriate pool on the ASA.
I would like to be able to log the user authentications so that I know when a user was connected, what IP address they were assigned from the ASA pool and when they disconnected from our network again.
Can anyone suggest how I might achieve this?
At the moment, the closest I have is the Passed Authentications log on the CSACS server (achieved by turning on aaa accounting on the ASA) which tells me when the user authenticated but does NOT tell me what IP address from the ASA pool was assigned to them.
Thanks for the help and apologies for the delay in replying to you - I got tied up with some other work.
I don't know if this makes any difference but we are actually using TACACS and so I have tried using TACACS accounting. I configured an accounting server group under the VPN profile. And things are being logged to the TACACS accounting log on the ACS.
However, it still doesn't tell me the address that has been assigned to the user from the ASA.
I get a column called "Caller-ID" which shows me the remote public address that the user is connecting from. And I have a column called "addr" which should, presumably, contain the IP address assigned by the ASA but it is just blank.
If you use RADIUS accounting instead of TACACS+ accounting, then the assigned tunnel IP address is listed in the column "Framed-IP-Address". Please make shure that the log settings of the ACS are configured to list this column. That's how I do the accounting on our infrastructure.
If necessary you can still run authentication and authorization using TACACS+. :-) But we use TACACS+ for device administration and RADIUS for user access.
Thanks, could you offer some more advice on how I would actually go about setting up RADIUS Accounting only?
On my ASA, I've configured the following:
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host w.x.y.z
Then under my VPN group set-up I have added:
However, I'm not sure what exactly I need to configure on the ACS side of things?
I didn't want to mess about too much with our existing ACS set-up (it was actually set up by a 3rd party so I have limited info on what has been configured!) as I don't want to inadvertently disrupt user authentications etc!
But if you could tell me how I would go about setting it up for RADIUS accounting only (while the authentication and authorization remains as TACACS+) then that would be greatly appreciated!
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...