Logging and Accounting
IAS can log authentication requests and capture accounting data from the NAS. To view the current log settings or to change the settings, open the Internet Authentication Service snap-in, right-click the Local File item in the Remote Access Logging container, then choose Properties. From this window, select the Log account requests and Log authentication requests check boxes. To capture information from a Cisco NAS, you must add the command

aaa accounting network default start-stop group radius

when you configure the NAS.

After you enable logging, you can select the Local File tab on the Local File properties page to control the creation and format of the IAS log files. From this page, you can specify where the IAS server stores the log files, how often it creates the log files, and what file format it uses to create the log files. I recommend creating log files daily or weekly, depending on the server workload, and storing the log files on a volume separate from the system volume.

Restricting Network Access with Per-User ACLs
Because IAS, the RADIUS protocol, and the AAA framework are all flexible, together they present many configuration possibilities. For these options to function properly, you must include the command

aaa authorization network default group radius

in the NAS configuration. This command tells the router to use and enforce the options that you configured on the authentication server when authenticating users.

The RADIUS protocol includes a vendor-specific attribute (number 26) that permits extensive vendor support. One of the most interesting and useful applications of this extensibility is the implementation of per-user ACLs. Per-user ACLs let you restrict any dial-up or VPN user to a specific subset of network resources at the network layer. For example, you can use this functionality to restrict vendor access to only the equipment for which the vendor is responsible or to ensure that your corporate dial-up connection isn't used for Internet access. Figure 5 illustrates this flexibility by showing how a per-user ACL limits the remote access of one user, Henry, but doesn't interfere with the remote access of another user, Mary.

Prev. page     1 2 [3] 4     next page



You must log on before posting a comment.

If you don't have a username & password, please register now.

Reader Comments

Very useful

leandro.jorge- September 03, 2004

Article Rating 5 out of 5

It does not address IPSec VPN dial-in. I am having a hard time finding an article that addresses this with IAS (just with other RADIUS servers). I followed a cisco example and still get bad username or password (even when storing in reverse encryption).

robertevanmartin- January 03, 2005

Article Rating 3 out of 5

No real config examples. Too little Information.

jhenriks- May 08, 2007

Article Rating 1 out of 5

good introduction to the topic but no specific configuration commands. I am looking for somthing start to finish commands.

claudcutler- August 19, 2008

Article Rating 2 out of 5

Readers, your suggestions are good ones. We will work on publishing some follow-up articles that provide specific configuration steps as well as the request for information on configuring IPsec VPN.

AnneG_editor- August 21, 2008

Article Rating 4 out of 5

 
 

ADS BY GOOGLE