Cisco ACS Reporting per AD Group possible?

Hi,

We are making use of a Cisco Secure ACS running Software Version : 5.2.0.26. (with a Cisco ASA 5510 Firewall sitting behind it doing the ACLs and NAT'ing etc.)

The ACS is used for authentication when our employees connects from the Internet to our VPN using the Cisco VPN Client. The ACS is setup to connect to our Active Directory Domain Controller so when a user connects to the VPN he/she uses their Active Directory username and password to authenticate and the ACS validates the credentials in AD via LDAP to the Domain Controller.

We have several different divisions in different geographical locations.

We would like to do reporting on VPN Connection History but it needs to be done per division so that we can send the report to the divisional LAN Administrator to check and ensure that the users connecting are all still valid VPN users and that nothing out of the ordinary is taking place with VPN Connections specific to his/her division.

My question is:

Can we somehow utilize groups that we have in Active Directory and do reports per AD group on VPN login history?

Example: All my VPN users for Division A is on the "Division A VPN Users" group in Active Directory, can a custom report on the ACS be setup to report Radius Athentication for the last 7 days for any Active Directory accounts beloning to "Division A VPN Users" Group?

Thanks for any guidance on this one.

Best Regards,
Reinhard
Reinhard RensburgInfrastructure ManagerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Soulja53 6F 75 6C 6A 61 Commented:
My experience with ACS is that it's not the best solution in regard to pulling reports. It's probably better to have the ACS send syslogs to something like Splunk where you will be able to organize and search through the data much better.
0
Reinhard RensburgInfrastructure ManagerAuthor Commented:
Hi Soulja,

Thanks for your input,

Would it not be possible to create Identity Groups Locally on the ACS and link them to either AD Groups or add AD users to the local Identity Groups? This would be one way to solve my problems with reporting.
 
I also did some reading-up on the Help Document on the ACS, it's got a "Launch Interactive Viewer" option within the reporting but all the options are greyed out when I try that, and according to ACS documentation a Report Admin should be able to use those "Launch Interactive Viewer" functions to filter for all kinds of stuff, but mine seems to be disabled for some reason.

Thanks for any further help.

Regards,
Reinhard
0
Reinhard RensburgInfrastructure ManagerAuthor Commented:
Hi,

I found the answer myself:

One can create local groups on the ACS and link them with groups in AD and then do custom reports per group, the reporting is actually quite powerful and we are now using it at all our divisions so that each divisional LAN Administrator can report on his own users' athentication etc.

Reinhard
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Reinhard RensburgInfrastructure ManagerAuthor Commented:
(accepting my own answer as solution as no one replied with an aswer within a couple of weeks and I discovered the answer myself in the meantime by spending a lot of "R&D" time on the ACS myself)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.