topic Re: Correlate VPN User to IP in General Topics

Correlate VPN User to IP

SoftwareMedia — Tue, 13 Apr 2010 22:02:55 GMT

Is there currently an easy way to Correlate a VPN user in trafic logs with the IP the user authenticated from?

For now I am having to view the traffic in the Traffic log note the user then goto the System logs and correlate the date / time of the VPN login go see the IP they authenticated from.

-Michael

Re: Correlate VPN User to IP

nrice — Thu, 15 Apr 2010 02:44:41 GMT

If you create a zone for your VPN users, you can filter on that zone name in the traffic log to quickly view the VPN users and their source addresses.

Re: Correlate VPN User to IP

SoftwareMedia — Tue, 20 Apr 2010 17:07:36 GMT

Maybe I have something configured wrong. While that does produce an easy filter to see VPN users and their IP it shows the address the users has been assigned from the VPN Address pool (172.16.1.1/25) I am wanting to see the IP address of the machine that the user authenticated from.

In System logs with Filter set to: (eventid eq sslvpn-regist-succ)

it shows the IP address the user authenticated from: (SSL VPN user login succeeded. Login from:75.152.213.61, User name: USER.)

I am trying to correlate 75.152.213.61 to 172.16.1.1 to USER in the traffic logs for a given date / time without having to jump back and forth from Traffic logs and System logs. Most of my VPN users login from a static or near static IP (IP changes once ever 3 months) for all my efforts to educate they are still very careless with their credential, leaving them on postit notes and the like for anyone to see. If I can easily correlate USER to the IP they authenticate from it makes it easier to determine if their credentials have been compromised.

-Michael

Re: Correlate VPN User to IP

swhyte — Tue, 20 Apr 2010 20:44:41 GMT

Hello Michael,

I believe the command that you are looking is found in the cli and it is as follows:

> show ssl-vpn current-user

thanks,

Stephen

Re: Correlate VPN User to IP

SoftwareMedia — Tue, 11 May 2010 19:21:35 GMT

Thanks for the tip!

> show ssl-vpn current-user

Does exactly what I am looking for, for currently logged in users. I am also very interested in getting that same view from the logs. It would allow me to audit VPN access very quickly.

Re: Correlate VPN User to IP

frank_henry — Fri, 05 Aug 2011 18:12:41 GMT

+1 on desire to have the VPN user logged in the User field in the Traffic log

Re: Correlate VPN User to IP

rapoint_person — Mon, 08 Aug 2011 07:09:52 GMT

Enable user identification in the zone where you have your tunnel interface (for the SSLVPN portal) and specify the IP-pool network as well. After that you should have your SSLVPN users in ACC/Log