Correlate VPN User to IP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Correlate VPN User to IP

Not applicable

Is there currently an easy way to Correlate a VPN user in trafic logs with the IP the user authenticated from?

For now I am having to view the traffic in the Traffic log note the user then goto the System logs and correlate the date / time of the VPN login go see the IP they authenticated from.

-Michael

6 REPLIES 6

L5 Sessionator

If you create a zone for your VPN users, you can filter on that zone name in the traffic log to quickly view the VPN users and their source addresses.

Maybe I have something configured wrong. While that does produce an easy filter to see VPN users and their IP it shows the address the users has been assigned from the VPN Address pool (172.16.1.1/25) I am wanting to see the IP address of the machine that the user authenticated from.

In System logs with Filter set to: (eventid eq sslvpn-regist-succ)

it shows the IP address the user authenticated from: (SSL VPN user login succeeded. Login from:75.152.213.61, User name: USER.)

I am trying to correlate 75.152.213.61 to 172.16.1.1 to USER in the traffic logs for a given date / time without having to jump back and forth from Traffic logs and System logs. Most of my VPN users login from a static or near static IP (IP changes once ever 3 months) for all my efforts to educate they are still very careless with their credential, leaving them on postit notes and the like for anyone to see. If I can easily correlate USER to the IP they authenticate from it makes it easier to determine if their credentials have been compromised.

-Michael

Hello Michael,

I believe the command that you are looking is found in the cli and it is as follows:

> show ssl-vpn current-user

thanks,

Stephen

Thanks for the tip!

> show ssl-vpn current-user


Does exactly what I am looking for, for currently logged in users. I am also very interested in getting that same view from the logs. It would allow me to audit VPN access very quickly.

L2 Linker

+1 on desire to have the VPN user logged in the User field in the Traffic log

Enable user identification in the zone where you have your tunnel interface (for the SSLVPN portal) and specify the IP-pool network as well. After that you should have your SSLVPN users in ACC/Log

  • 4713 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!