Logging Attributes in ACS Reports

When using ACS, you can see special attributes in the ACS reports. These special attributes are designed to give the administrator more information that would not normally be seen in an accounting log on an AAA server. These attributes are special because they are derived from the ACS configuration that you create. These attributes include the following:

• User-Defined Attributes

• Access Device

• Network Device Group

• Device Command Set

• Filter Information

• ExtDB Info

These logging attributes are discussed in greater detail in the next few sections.

NOTE

All attributes for the user are based on the group of which that user is a member. This might be a specific group, or it could be a generic group based on the unknown user authentication policy. The Unknown User Policy is discussed in Chapter 11, "System Configuration."

User-Defined Attributes

User attributes appear in the attributes list for any log configuration page that includes information about the user. The default text box labels are Real Name, Description, User Field 3, 4, and 5 from the user configuration page. Remember that you can change these values to appear with information that is relevant to your users.

To configure user-defined attributes fields, follow these steps:

Step 1.	Select Interface Configuration.
Step 2.	Choose User Attributes.
Step 3.	From the User Attributes configuration page, enter the attribute field labels as you want them to appear. This is seen in Figure 12-2. Note that this action dictates only how these attribute field labels appear in the user-configuration page; you still need to enter the individual user attributes in each profile. Figure 12-2. Configuring User-Defined Fields

When a user authenticates, these "user-defined" attributes are entered into the report to give you additional information. In Figure 12-3, you can see the attributes as they appear in User Setup, and in Figure 12-4, you can see how they appear in the Passed Authentications report.

Figure 12-3. User Attributes in User Setup

Figure 12-4. User-Defined Attributes in the Passed Authentications Report

Access Device

The Access Device attribute is an attribute that reflects the name of the AAA client configuration that is sending logging information to ACS. When AAA clients perform a transaction with ACS, the AAA client includes information for authentication to ACS. This is done using a shared secret key. All this information is located in Network Configuration and can be seen in Figure 12-5.

Figure 12-5. Network Configuration

This information is used by ACS to match an AAA client configuration from the list of AAA clients in the Network Configuration page. When a match is found, ACS uses this to log the AAA Client Configuration entry to its report log. This can be seen in Figure 12-6. Notice that the Key entry field has the same name in its entry as the entry found in Figure 12-5.

Figure 12-6. Access Device in the Passed Authentications Report

Network Device Group

The Network Device Group attribute indicates the name of the Network Device Group of which the AAA client is a member. When a user authenticates through different AAA clients, each AAA client is possibly going to be a member of a network device group, depending on your network configuration. In the previous section on the Access Device attribute, you can see that in Figure 12-5 the vms access device is not a member of a Network Device Group. In Figure 12-6, you see that the Network Device Group filed in the Passed Authentications log is blank. Adding the vms access device to a Network Device Group causes the additional information to be logged to the ACS report. You can see the result in Figure 12-7.

Figure 12-7. Network Device Attribute in the Passed Authentications Report

Device Command Set

The purpose of the Device Command Set attribute is to indicate the name of the command authorization set that was used to fulfill a command authorization request. If a command authorization is passed, you will not see the name of the command authorization set in a log file. If a command authorization attempt fails, you will see the name of the command authorization set that caused the failure, as well as information such as the reason for the failure.

Filter Information

Remember that when you configure Network Access Restrictions (NARs), a user's access can be permitted or denied based on the network access server (NAS) through which they access the network. If an NAR is assigned to a user, this attribute indicates if all the applicable NARs permitted the user access or denied the user access. More specific information is also given that indicates which NAR, if multiple NARs are used, denied the user access. The output can be seen in Figure 12-8. If no NARs are applied, this attribute also indicates that status. As you can tell from the figure, all filters passed. This indicates that the user was allowed access. You can see this attribute information in the Passed Authentications log or Failed Attempts log.

Figure 12-8. Filter Information in the Passed Authentications Report

ExtDB Info

If you have configured ACS to authenticate users to an external database, the ExtDB Info attribute contains the information that was returned by that database. For Windows NT/2000 external database authentication, this returns the domain name from which the user authenticated. For other external databases, such as CRYPTOCard authentication servers, RSA's SecurID, LDAP servers, and other external servers that are supported in ACS, the information returned is authentication information. In Figure 12-9, you can see that the username ext-user authenticated from an external database called SERVER.

Figure 12-9. External Database Attribute in the Passed Authentications Report