- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-13-2010 03:02 PM
Is there currently an easy way to Correlate a VPN user in trafic logs with the IP the user authenticated from?
For now I am having to view the traffic in the Traffic log note the user then goto the System logs and correlate the date / time of the VPN login go see the IP they authenticated from.
-Michael
04-20-2010 10:07 AM
Maybe I have something configured wrong. While that does produce an easy filter to see VPN users and their IP it shows the address the users has been assigned from the VPN Address pool (172.16.1.1/25) I am wanting to see the IP address of the machine that the user authenticated from.
In System logs with Filter set to: (eventid eq sslvpn-regist-succ)
it shows the IP address the user authenticated from: (SSL VPN user login succeeded. Login from:75.152.213.61, User name: USER.)
I am trying to correlate 75.152.213.61 to 172.16.1.1 to USER in the traffic logs for a given date / time without having to jump back and forth from Traffic logs and System logs. Most of my VPN users login from a static or near static IP (IP changes once ever 3 months) for all my efforts to educate they are still very careless with their credential, leaving them on postit notes and the like for anyone to see. If I can easily correlate USER to the IP they authenticate from it makes it easier to determine if their credentials have been compromised.
-Michael
04-20-2010 01:44 PM
Hello Michael,
I believe the command that you are looking is found in the cli and it is as follows:
> show ssl-vpn current-user
thanks,
Stephen
05-11-2010 12:21 PM
Thanks for the tip!
> show ssl-vpn current-user
Does exactly what I am looking for, for currently logged in users. I am also very interested in getting that same view from the logs. It would allow me to audit VPN access very quickly.
08-05-2011 11:12 AM
+1 on desire to have the VPN user logged in the User field in the Traffic log
08-08-2011 12:09 AM
Enable user identification in the zone where you have your tunnel interface (for the SSLVPN portal) and specify the IP-pool network as well. After that you should have your SSLVPN users in ACC/Log
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!