pix 6.3, aaa accounting

Answered Question
Feb 11th, 2007

Hi,

I'm trying to understand what the following command would do:

"aaa accounting include tcp/0 inside 1.1.1.1 255.255.255.255 2.2.2.2 255.255.255.255 TACACS+"

(1.1.1.1 is any old host, 2.2.2.2 is the PIX)

I think I get "include" (create a new rule) & "tcp/0" (the rule specifies all tcp ports).

But 1.1.1.1 (which pix ios 6.3 doc calls local_ip -"host or network of hosts that you want to be authenticated or authorized") - I think that would be the clients. Is that right?

And 2.2.2.2 (called foreign_ip) is not clear at all - The doc calls this foreign_ip - "hosts you want to access the local_ip address". Given that I've defined 2.2.2.2 as the PIX, this seems to have the PIX accessing the clients. Yet if I flip the IP addresses, I get the PIX being the box I want to have authenticated, which also doesn't seem right...

Probably I'm completely missing what circumstances this would be used for. On my network, so far all we use AAA for is logging telnet access into devices, and logging the commands that are executed on the devices, but I know AAA is also used to allow users access to various things...

(the doc I'm looking at is http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a3.html#wp1073208)

TIA - Linnea

I have this problem too.
0 votes
Correct Answer by dominic.caron about 9 years 7 months ago

You got it!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
dominic.caron Mon, 02/12/2007 - 07:39

Hi,

First...

aaa accounting is used with aaa authentication.

With aaa authentication include any inside (your inside host/mask) 0 0 tacacs+, all outgoing connection will be authenticated. local_IP is the source, foreign_IP is the destination.

Authentication will trigger with telnet,ssh,ftp,http and https traffic.

You can log with accounting the session data of authenticated user with the aaa accounting command. Use the same source,destination as the authentication command.

aaa accounting work only for http,https and ftp connections. (only those will be sent to the tacacs server)

linnea.wren Mon, 02/12/2007 - 14:27

Hi Dominic,

Thanks.

This is what I get from your information:

There are 3 entities - Source, Destination, and, in between them, a device configured to do AAA.

Is that right?

If so, and the "between" device is a PIX, the foreign IP would NOT be the address of the PIX itself. Right?

Actions

This Discussion