Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Issue with AAA accounting for ASA RA VPN

Dear friends,

I have posted this a while ago on Cisco Learning Network-->CCIE Security lab but posting it here as well in hope for wider reach to the experts. Sorry for posting again.

I am trying to setup AAA accounting for VPN users that connect through ASA.

The topology is simple:

Radius Server (10.11.11.25) -->(10.11.11.1)R1 (10.22.22.0/24)--Inside-->ASA1(192.1.22.0/24)--->Outside---->R2

ASA is the Easy VPN Server and R2 is the Easy VPN client. Authentication is through RADIUS.

Now, R2 (hardware client) accounting for TCP flows to 10.11.11.0 is configured.

AAA accounting with start-stop records is working as expected. However, i am not able to get the required attributes passed as expected.

To explain more clearly, i have put some wireshark capture screenshots and ACS reports and activity Radius accounting screenshots in a doc file attached

for reference. Also, i have attached the wireshark captures in a zip file as the pcap fle is not allowed.

Problem statement:

The issue is that when i enable aaa accounting on inside interface, i get unknown username but cisco-av-pair with the src/dst is correctly populated.

When i enable aaa accounting on outside interface, i get the proper username along with Service Type set to Framed and Frame IP address, Frame protocol attributes populated but i dont get the cisco-av-pair attribute populated.

ASA version is 8.0.3. ACS is 4.1.1 Build 23 Patch 5. I dont think that it is ACS problem because i dont even see the attribute coming into Wireshark captures from ASA.

I am not sure if this is expected behaviour or not? Can anyone please help on this?

316
Views
0
Helpful
0
Replies
CreatePlease to create content