Issues w/aaa accounting with FWSM and ACS SE

Unanswered Question
Jul 28th, 2009

I am trying to set up accounting from several FWSM contexts to a couple of (new) ACS servers. It generally works, but there are a few issues. This is the aaa configuration in the context I'm testing with:

aaa-server tacacs-auth protocol tacacs+

reactivation-mode timed

max-failed-attempts 2

aaa-server tacacs-auth (dept-outside) host 10.1.26.218

key tacacs-secret

aaa-server tacacs-auth (dept-outside) host 10.1.26.219

key tacacs-secret

aaa-server tacacs-acct protocol tacacs+

aaa-server tacacs-acct (dept-outside) host 10.1.26.219

key tacacs-secret

aaa-server tacacs-acct (dept-outside) host 10.1.26.218

key tacacs-secret

username local-admin password xxxxxxxx encrypted privilege 15

aaa authentication ssh console tacacs-auth LOCAL

aaa accounting command tacacs-acct

aaa accounting ssh console tacacs-acct

aaa accounting enable console tacacs-acct

The problems:

1. Although the "TACACS Accounting" and "Passed Authentications" logs show the correct username for the ssh sessions, the "TACACS Administration" log just shows "enable_15". What do I need to do to get the correct username in the Administration log?

2. In the "Failed Attempts" and "Passed Authentications" logs, the Caller ID attribute gives me the correct client ip address. But in the "TACACS Accounting" and "TACACS Administration" logs, this same attibute just shows up as 0.0.0.0. Is it possible to get the client ip address in these logs?

3. As you can see from the configuration above, I'm using the same servers for authentication and for accounting, but in the opposite order. However, my accounting info goes to the same server as my authentication requests. How do I determine why this is happening?

Also, is it possible to get command accounting to include show and enable commands?

Oh, yeah ... FWSM is 3.1(15) and ACS SE is 4.2.0.124.

Thanks.

Larry Owen

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jagdeep Gambhir Tue, 07/28/2009 - 09:35

Larry,

1) Please set up enable authentication to get the actual user name,

aaa authentication enable console tacacs-auth LOCAL

On ACS user setup you need to set up tacacs+ enable password.

3) Since you have defined both server for authentication and accounting ie 219 and 218 it is sending accounting to 218, as it is also defined as accounting server and firewall it active.

Use only

aaa-server tacacs-auth (dept-outside) host 10.1.26.218 key tacacs-secret

aaa-server tacacs-acct (dept-outside) host 10.1.26.219 key tacacs-secret

Now auth should go to 218 and acc to 219.

Regards,

~JG

Do rate helpful posts

Actions

This Discussion