I would to be able to have an audit trail for all changes to our firewall. I have setup the PIX to use aaa for authentication. Commands associated with the user ID are sent to the syslog server until I provide the enable password. Afterwards, all commands are associated with the enable_15.
If I configure TACACS to allow enable access, I can get enable access and the user name is associated with the commands.
Can I have the user name associated with a command in syslog but use the generic enable command? I have PIX6.2.2 and ACS2.6. I used "Cisco - Authentication and Command Authorization for PIX 6.2" as a reference setting this up.
I don't think it's possible to hide the previlege level form the user... at least I do not know of ways of doing this. The user can always issue the 'show curpriv' command and figure out his/her privelege level.
Thanks for the info but that is not what I am trying to do.
If I enter the command aaa authentication telnet console TACSERVER, a remote user needs an TACACS id and password to get line access. The enable password is used to get enable access. In the syslog server, I can see the activities of the user until they run the enable command. All privledge 15 command are associated with user enable_15. I would like the user to use the enable password but still have the syslog information associated with there ID.
If I enter the command aaa authentication enable console TACSERVER, I can have the user gain enable access with a password from the TACACS server. In this configuration, all privledge 15 commands are assoicated wtih the user name. This works and will probably be what I implement but I was hoping to use a generic enable password.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :