Network Management

hi,

We are using Cisco ACS for authentication of our network admins to Airwave.  Is it possible to also enable accounting of the users login and activities so that I can see what the user has done on Airwave ?

Can I also see the IP address of the machine that the user has logged into Airwave from ?

thanks

I'd expect activity to already be tracked in the System -> Event Log (is this not the same that you're looking for?).  IP addresses aren't shown in the GUI, but you can get an idea from /var/log/httpd/access_log.  Note that this logging goes back only 4 days, to keep more - you will want to look into exporting to an external syslog server or create a script to scp the access logs as a cron job.

Hi,

I see the info in the Event log (although mine only goes abck two days), and the information in there is what I need, but I need this information to go back further.  

For exmaple, I need to be able to accommodate the scenario of identifying who made a config change in Airwave 1 month ago.

It sounds like I need to work out a way of export the event log to our syslog server, could you point me in the right direction as to how I can get that done ?

Also,  is it possible to configure Airwave so that it's only possible to login to it using the local account if the external TACACS/RADIUS server is unavailable ?

Thanks

You can setup external logging on the AMP Setup -> General tab -> External Logging box.  This requires you to have an external syslog server with the appropriate network firewall paths open between the AMP and syslog server.  In the absence of a syslog server, there's still the cronjob suggestion.

As far as the last part about making it only possible to login using local account, it's a fall through method based on your AMP Setup -> Authentication tab settings.  If Authentication Priority is local, then the AMP checks the internal user db before checking the external auth servers.  If it's set to remote, then it will check the external auth servers before looking at the local user db.  It's an if / else option where if one fails, it will attempt to login using the inputted credentials on the other.  It'd be a feature request to have this behavior modified.  (Did this answer the last question?  I'm unsure if I completely understood.)

Hi Rob,

Thanks again for your response,  the external logging to syslog will do what I need.

In regards to the local/remote authentication.    I would prefer that it works similar to the Aruba controller.  i.e.  If it's set to remote, then the local account will only work it the remote authentication server is unavailable.   This stops anyone logging in using the local account.

From an audit perspective, this is a problem as I don't know who the actual person is that has logged in with the local account.

From your resopnse, it would seem that this is not possible, or have I misunderstood your explanation ?

Thanks

Lee

It would be a feature request to change authentication to the way your describing.  The best way at this time to perform similar functionality is to not share the general local account, but instead create separate accounts for all AMP users in the localdb.  The username doesn't have to be unique from the authentication server either.