Cisco ACS Reporting per AD Group possible?

Posted on 2011-10-17
Last Modified: 2012-05-12

We are making use of a Cisco Secure ACS running Software Version : (with a Cisco ASA 5510 Firewall sitting behind it doing the ACLs and NAT'ing etc.)

The ACS is used for authentication when our employees connects from the Internet to our VPN using the Cisco VPN Client. The ACS is setup to connect to our Active Directory Domain Controller so when a user connects to the VPN he/she uses their Active Directory username and password to authenticate and the ACS validates the credentials in AD via LDAP to the Domain Controller.

We have several different divisions in different geographical locations.

We would like to do reporting on VPN Connection History but it needs to be done per division so that we can send the report to the divisional LAN Administrator to check and ensure that the users connecting are all still valid VPN users and that nothing out of the ordinary is taking place with VPN Connections specific to his/her division.

My question is:

Can we somehow utilize groups that we have in Active Directory and do reports per AD group on VPN login history?

Example: All my VPN users for Division A is on the "Division A VPN Users" group in Active Directory, can a custom report on the ACS be setup to report Radius Athentication for the last 7 days for any Active Directory accounts beloning to "Division A VPN Users" Group?

Thanks for any guidance on this one.

Best Regards,
Question by:ReinhardRensburg
    LVL 26

    Expert Comment

    My experience with ACS is that it's not the best solution in regard to pulling reports. It's probably better to have the ACS send syslogs to something like Splunk where you will be able to organize and search through the data much better.

    Author Comment

    Hi Soulja,

    Thanks for your input,

    Would it not be possible to create Identity Groups Locally on the ACS and link them to either AD Groups or add AD users to the local Identity Groups? This would be one way to solve my problems with reporting.
    I also did some reading-up on the Help Document on the ACS, it's got a "Launch Interactive Viewer" option within the reporting but all the options are greyed out when I try that, and according to ACS documentation a Report Admin should be able to use those "Launch Interactive Viewer" functions to filter for all kinds of stuff, but mine seems to be disabled for some reason.

    Thanks for any further help.


    Accepted Solution


    I found the answer myself:

    One can create local groups on the ACS and link them with groups in AD and then do custom reports per group, the reporting is actually quite powerful and we are now using it at all our divisions so that each divisional LAN Administrator can report on his own users' athentication etc.


    Author Closing Comment

    (accepting my own answer as solution as no one replied with an aswer within a couple of weeks and I discovered the answer myself in the meantime by spending a lot of "R&D" time on the ACS myself)

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Join & Write a Comment

    Suggested Solutions

    For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
    This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now