Friday, August 17, 2012

Checking VPN logs... CiscoSecure ACS v4.0

I was asked to create a "simple time clock" front end that integrates with our users HR data (downloaded nightly in a data pull I built from HRB). One of the potential pitfalls I pointed out to the person requesting the interface and data objects was that since most of our technical staff have VPN access turned on by default, they could potentially clock in or out from home.

So I started my search to determine if a user was on our network from their desk or via VPN. My network engineer pointed me to the interface showing the logs. I saw how simple the output was and believed it was just reading from a text file. Sure 'nuf, found the text file locally on the domain controllers. There are probably multiple ways to determine how someone is connected, but I couldn't come up with any off the top of my head after a brief pow-wow with my network engineer, so this is the direction I went.

I found the domain controllers that held the logs (.csv files) for passed authentications which was located in ProgramFiles\CiscoSecure ACS v4.0\Logs\Passed Authentications and the files were named: Passed Authentications Active.csv. Ahhh, data, data, data...

When a user logs into the simple time clock application, I check these log files for the user name and text "Remote Access (VPN)" to determine if it's been more than a certain amount of time, say an hour, to attempt to verify this web app is not being accessed by someone connected via VPN.

An over simplified schema of how I solved this problem:

If you need more details, let me know.