TACACS+ accounting issues on FWSM 3.1(11)

subhash.sharma · ‎04-17-2009

Hi All,

I am having a problem with implementing TACACS+ on the FWSM 3.1(11). The issue is, I can add the command "aaa accounting command privilage 15 group-name" but after adding i cannot see the username from the ACS server. The username displayed is "enable_15" but actually we are using RSA token to login to the FWSM.The RSA username is in the local database of the ACS.Also i cannot see any "show" commands that i have typed in the FWSM from the ACS.

The version of the ACS is v3.3. and the version of the FWSM is 3.1(11.

Anyone please help me....THanks a lot...

sthon-dbsys · ‎04-20-2009

1. are you in ena15 mode directly after login with your username on the fwsm ?

2. if you have to do a seperate "ena" login, after your user login, its normal that you only have the "enable_15" user in accounting

3. you can also check what username appears, if you make changes via the asdm, there it should be your asdm username

I run in the same problem, but cannot find a working tacacs profile to get my user directly in ena15 mode after login.

networker99 · ‎04-20-2009

Isn't there an accounting bug? with this version and in 4.1?

sthon-dbsys · ‎04-20-2009

i am not sure if the problem is really an accounting bug.

In my opinion, the accounting works fine, its more a design problem.

if you login, you are not in ena15 mode.

you have to change via "ena" in ena 15 mode and then the user is "enable_15", which is logged in the accounting file

mbilgrav · ‎04-20-2009

correct.

I ran into the problems once that account did not get recorded in ver ACS 4.1, but did on 4.2

The packets hit the servers interface but never made it into the file on the harddrive.

I will sugguest that you uses the lateest ACS version.

sthon-dbsys · ‎04-21-2009

sorry guys, we have NO problem forced by an accounting bug in this request.

we DO NOT talk about, that records will not be accounted.

we talk about, that records are accounted, but in the accoutning record is everytime the username "enable_15"

Jagdeep Gambhir · ‎04-21-2009

Hi ,

If you want accounting to associate the username with commands (rather than simply username of enable15), you'll need this command:

aaa authentication enable console TACACS+

Regards,

~JG

Do rate helpuful posts

Jagdeep Gambhir · ‎04-21-2009

Firewall logs only those command that changes the configuration of firewall.

so Show command will not show up but if you make any changes that would surely be logged.

This is by design.

Jagdeep Gambhir · ‎04-21-2009

Firewall do not support exec authorization so there is no way you can fall directly to enable mode.

http://www.ciscotaccc.com/security/showcase?case=K25224726

Regards,

~JG

Do rate helpful posts

sthon-dbsys · ‎04-21-2009

in bug K25224726 they only talk about asa.

is it the same issue for fwsm or is there another bugid existing for fwsm ?

I dont think if the problem in asa OS will be fixed it will also be done for the fwsm OS

Jagdeep Gambhir · ‎04-22-2009

This issue exists all Pix, ASA & FWSM.

sthon-dbsys · ‎04-22-2009

is there an existing bug ID, which could be tracked ?

Or in which Releases it should be implemented ?

Subash Sharma · ‎04-27-2009

Hi JG,

Do you have any Cisco documents stating that "show" commands wont logged in to ACS accounting file? If you have please give me the link.

Appreciate your help.

Sub

Subash Sharma · ‎04-22-2009

Hi Jg,

Thanks a million for your valued comments. I will implement the above AAA command and will let you know the results.

By the way,do you know any Cisco documents that states that only config commands on FWSM will be logged to ACS? The reason is that i can then answer the Customer with this supporting document.

Thanks a lot for your help..

Subu

Report Inappropriate Content · ‎04-27-2009