Cisco ACS Reporting per AD Group possible?
Hi,
We are making use of a Cisco Secure ACS running Software Version : 5.2.0.26. (with a Cisco ASA 5510 Firewall sitting behind it doing the ACLs and NAT'ing etc.)
The ACS is used for authentication when our employees connects from the Internet to our VPN using the Cisco VPN Client. The ACS is setup to connect to our Active Directory Domain Controller so when a user connects to the VPN he/she uses their Active Directory username and password to authenticate and the ACS validates the credentials in AD via LDAP to the Domain Controller.
We have several different divisions in different geographical locations.
We would like to do reporting on VPN Connection History but it needs to be done per division so that we can send the report to the divisional LAN Administrator to check and ensure that the users connecting are all still valid VPN users and that nothing out of the ordinary is taking place with VPN Connections specific to his/her division.
My question is:
Can we somehow utilize groups that we have in Active Directory and do reports per AD group on VPN login history?
Example: All my VPN users for Division A is on the "Division A VPN Users" group in Active Directory, can a custom report on the ACS be setup to report Radius Athentication for the last 7 days for any Active Directory accounts beloning to "Division A VPN Users" Group?
Thanks for any guidance on this one.
Best Regards,
Reinhard
We are making use of a Cisco Secure ACS running Software Version : 5.2.0.26. (with a Cisco ASA 5510 Firewall sitting behind it doing the ACLs and NAT'ing etc.)
The ACS is used for authentication when our employees connects from the Internet to our VPN using the Cisco VPN Client. The ACS is setup to connect to our Active Directory Domain Controller so when a user connects to the VPN he/she uses their Active Directory username and password to authenticate and the ACS validates the credentials in AD via LDAP to the Domain Controller.
We have several different divisions in different geographical locations.
We would like to do reporting on VPN Connection History but it needs to be done per division so that we can send the report to the divisional LAN Administrator to check and ensure that the users connecting are all still valid VPN users and that nothing out of the ordinary is taking place with VPN Connections specific to his/her division.
My question is:
Can we somehow utilize groups that we have in Active Directory and do reports per AD group on VPN login history?
Example: All my VPN users for Division A is on the "Division A VPN Users" group in Active Directory, can a custom report on the ACS be setup to report Radius Athentication for the last 7 days for any Active Directory accounts beloning to "Division A VPN Users" Group?
Thanks for any guidance on this one.
Best Regards,
Reinhard
Soulja
My experience with ACS is that it's not the best solution in regard to pulling reports. It's probably better to have the ACS send syslogs to something like Splunk where you will be able to organize and search through the data much better.
ASKER
Hi Soulja,
Thanks for your input,
Would it not be possible to create Identity Groups Locally on the ACS and link them to either AD Groups or add AD users to the local Identity Groups? This would be one way to solve my problems with reporting.
I also did some reading-up on the Help Document on the ACS, it's got a "Launch Interactive Viewer" option within the reporting but all the options are greyed out when I try that, and according to ACS documentation a Report Admin should be able to use those "Launch Interactive Viewer" functions to filter for all kinds of stuff, but mine seems to be disabled for some reason.
Thanks for any further help.
Regards,
Reinhard
Thanks for your input,
Would it not be possible to create Identity Groups Locally on the ACS and link them to either AD Groups or add AD users to the local Identity Groups? This would be one way to solve my problems with reporting.
I also did some reading-up on the Help Document on the ACS, it's got a "Launch Interactive Viewer" option within the reporting but all the options are greyed out when I try that, and according to ACS documentation a Report Admin should be able to use those "Launch Interactive Viewer" functions to filter for all kinds of stuff, but mine seems to be disabled for some reason.
Thanks for any further help.
Regards,
Reinhard
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
(accepting my own answer as solution as no one replied with an aswer within a couple of weeks and I discovered the answer myself in the meantime by spending a lot of "R&D" time on the ACS myself)