Pix 515 radius issue

Unanswered Question
Oct 25th, 2005
User Badges:

I have a pix 515 running 6.3(4).

We already have VPN running for a while in a test situation. I'm currently testing different radius software to see wich complies complies to our needs. The problem i experience is that when the pix successfully autenticates a user, it won't send a "session start" or "session stop" to the radius software. This causes some problems, sine i cannot track how long a user has been connected.


I already looked into the aaa accounting settings, but i can only enable accounting for all ip traffic, or http, ftp and telnet. When i enable accounting for my 3 VPN subnets, our pix creates new accouting sessions for every new tcp/ip session that is set up. In this case a user connecting via VPN causes a lot of individual sessions (because of wins, dns, netbios, etc). So this is not a solution i can use.


Could it be i must upgrade to a higher OS version to fix this problem? I read 6.3(5) is out already. And 7.01 as well. I'm not sure though if i'm permitted to upgrade to PIX os 7 in my current license.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
metzie_2022 Thu, 12/08/2005 - 00:47
User Badges:

I asked our PIX reseller to open a tocket with cisco tech support about this issue. They told me that the feature i want to use (aaa sessions) is not implementen in PIX os 6.x.x. It is implemented partially in PIX os 7. So i'm going to upgrade. I'll report my findings when i'm done.

metzie_2022 Fri, 02/03/2006 - 06:16
User Badges:

I finaly have it working. I have upgraded to PIX OS 7.04. This gives you a new command that you can apply to the Tunnel-group general settings.


It's called accounting-server-group


When you apply this to the tunnel-group it will send all tunnel related accountings statics to the specified aaa-server.

Actions

This Discussion