I have an FWSM version 3.1(8) installed in a Catalyst 6513 (with Sup720). It is configured in multiple context mode.
All the contexts (admin + user) initially have AAA Authentication configured to authenticate CLI access against a TACACS+ server(ACS v3.2).
Users typically telnet to the Admin context, switch to system execution space, and from there switch to other contexts. The whole FWSM is under one common administrative control.
Lately I configured AAA Accounting on all the contexts to account for the commands executed by the users. It works. I can see the logs in TACACS+ Administration in the ACS.
I have the following concerns:
1. Can we enable AAA accounting for the system execution space? I notice AAA commands are not available there. This is to counter for users who telnet to the Admin context, get authenticated, and then switch to the system execution space. Also to counter for the scenario whereby users log in to the switch and session into the FWSM. I need to authenticate and account them against the same TACACS+ server.
2. How to prevent users from sessioning into the FWSM from the switch CLI? I can think of changing the enable password of the system execution space. They will be forced to execute the "login" command and be prompted for username. Then again, I think the usernames are only kept in local database since we can configure AAA here.
Any suggestions are most welcome.