Cisco ACS Reporting per AD Group possible?

Posted on 2011-10-17
Medium Priority
Last Modified: 2012-05-12

We are making use of a Cisco Secure ACS running Software Version : (with a Cisco ASA 5510 Firewall sitting behind it doing the ACLs and NAT'ing etc.)

The ACS is used for authentication when our employees connects from the Internet to our VPN using the Cisco VPN Client. The ACS is setup to connect to our Active Directory Domain Controller so when a user connects to the VPN he/she uses their Active Directory username and password to authenticate and the ACS validates the credentials in AD via LDAP to the Domain Controller.

We have several different divisions in different geographical locations.

We would like to do reporting on VPN Connection History but it needs to be done per division so that we can send the report to the divisional LAN Administrator to check and ensure that the users connecting are all still valid VPN users and that nothing out of the ordinary is taking place with VPN Connections specific to his/her division.

My question is:

Can we somehow utilize groups that we have in Active Directory and do reports per AD group on VPN login history?

Example: All my VPN users for Division A is on the "Division A VPN Users" group in Active Directory, can a custom report on the ACS be setup to report Radius Athentication for the last 7 days for any Active Directory accounts beloning to "Division A VPN Users" Group?

Thanks for any guidance on this one.

Best Regards,
Question by:ReinhardRensburg
  • 3
LVL 26

Expert Comment

ID: 36988550
My experience with ACS is that it's not the best solution in regard to pulling reports. It's probably better to have the ACS send syslogs to something like Splunk where you will be able to organize and search through the data much better.

Author Comment

ID: 37024348
Hi Soulja,

Thanks for your input,

Would it not be possible to create Identity Groups Locally on the ACS and link them to either AD Groups or add AD users to the local Identity Groups? This would be one way to solve my problems with reporting.
I also did some reading-up on the Help Document on the ACS, it's got a "Launch Interactive Viewer" option within the reporting but all the options are greyed out when I try that, and according to ACS documentation a Report Admin should be able to use those "Launch Interactive Viewer" functions to filter for all kinds of stuff, but mine seems to be disabled for some reason.

Thanks for any further help.


Accepted Solution

ReinhardRensburg earned 0 total points
ID: 37248892

I found the answer myself:

One can create local groups on the ACS and link them with groups in AD and then do custom reports per group, the reporting is actually quite powerful and we are now using it at all our divisions so that each divisional LAN Administrator can report on his own users' athentication etc.


Author Closing Comment

ID: 37271808
(accepting my own answer as solution as no one replied with an aswer within a couple of weeks and I discovered the answer myself in the meantime by spending a lot of "R&D" time on the ACS myself)

Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question