TACACS+ accounting issues on FWSM 3.1(11)

Unanswered Question
Apr 17th, 2009

Hi All,


I am having a problem with implementing TACACS+ on the FWSM 3.1(11). The issue is, I can add the command "aaa accounting command privilage 15 group-name" but after adding i cannot see the username from the ACS server. The username displayed is "enable_15" but actually we are using RSA token to login to the FWSM.The RSA username is in the local database of the ACS.Also i cannot see any "show" commands that i have typed in the FWSM from the ACS.


The version of the ACS is v3.3. and the version of the FWSM is 3.1(11.


Anyone please help me....THanks a lot...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
sthon-dbsys Mon, 04/20/2009 - 02:37

1. are you in ena15 mode directly after login with your username on the fwsm ?

2. if you have to do a seperate "ena" login, after your user login, its normal that you only have the "enable_15" user in accounting

3. you can also check what username appears, if you make changes via the asdm, there it should be your asdm username


I run in the same problem, but cannot find a working tacacs profile to get my user directly in ena15 mode after login.


sthon-dbsys Mon, 04/20/2009 - 06:56

i am not sure if the problem is really an accounting bug.

In my opinion, the accounting works fine, its more a design problem.

if you login, you are not in ena15 mode.

you have to change via "ena" in ena 15 mode and then the user is "enable_15", which is logged in the accounting file

mbilgrav Mon, 04/20/2009 - 12:32

correct.

I ran into the problems once that account did not get recorded in ver ACS 4.1, but did on 4.2

The packets hit the servers interface but never made it into the file on the harddrive.


I will sugguest that you uses the lateest ACS version.



sthon-dbsys Tue, 04/21/2009 - 00:15

sorry guys, we have NO problem forced by an accounting bug in this request.

we DO NOT talk about, that records will not be accounted.


we talk about, that records are accounted, but in the accoutning record is everytime the username "enable_15"


Jagdeep Gambhir Tue, 04/21/2009 - 12:56

Hi ,

If you want accounting to associate the username with commands (rather than simply username of enable15), you'll need this command:


aaa authentication enable console TACACS+




Regards,

~JG


Do rate helpuful posts

Jagdeep Gambhir Tue, 04/21/2009 - 13:00

Firewall logs only those command that changes the configuration of firewall.


so Show command will not show up but if you make any changes that would surely be logged.


This is by design.

sthon-dbsys Tue, 04/21/2009 - 23:22

in bug K25224726 they only talk about asa.

is it the same issue for fwsm or is there another bugid existing for fwsm ?


I dont think if the problem in asa OS will be fixed it will also be done for the fwsm OS

sthon-dbsys Wed, 04/22/2009 - 02:47

is there an existing bug ID, which could be tracked ?

Or in which Releases it should be implemented ?

Surya Dathan Mon, 04/27/2009 - 20:44

Hi JG,


Do you have any Cisco documents stating that "show" commands wont logged in to ACS accounting file? If you have please give me the link.


Appreciate your help.


Sub

Surya Dathan Wed, 04/22/2009 - 18:08

Hi Jg,


Thanks a million for your valued comments. I will implement the above AAA command and will let you know the results.


By the way,do you know any Cisco documents that states that only config commands on FWSM will be logged to ACS? The reason is that i can then answer the Customer with this supporting document.


Thanks a lot for your help..


Subu

Anonymous (not verified) Mon, 04/27/2009 - 20:37


Actions

This Discussion