I am trying to set up accounting from several FWSM contexts to a couple of (new) ACS servers. It generally works, but there are a few issues. This is the aaa configuration in the context I'm testing with:
aaa-server tacacs-auth protocol tacacs+
reactivation-mode timed
max-failed-attempts 2
aaa-server tacacs-auth (dept-outside) host 10.1.26.218
key tacacs-secret
aaa-server tacacs-auth (dept-outside) host 10.1.26.219
key tacacs-secret
aaa-server tacacs-acct protocol tacacs+
aaa-server tacacs-acct (dept-outside) host 10.1.26.219
key tacacs-secret
aaa-server tacacs-acct (dept-outside) host 10.1.26.218
key tacacs-secret
username local-admin password xxxxxxxx encrypted privilege 15
aaa authentication ssh console tacacs-auth LOCAL
aaa accounting command tacacs-acct
aaa accounting ssh console tacacs-acct
aaa accounting enable console tacacs-acct
The problems:
1. Although the "TACACS Accounting" and "Passed Authentications" logs show the correct username for the ssh sessions, the "TACACS Administration" log just shows "enable_15". What do I need to do to get the correct username in the Administration log?
2. In the "Failed Attempts" and "Passed Authentications" logs, the Caller ID attribute gives me the correct client ip address. But in the "TACACS Accounting" and "TACACS Administration" logs, this same attibute just shows up as 0.0.0.0. Is it possible to get the client ip address in these logs?
3. As you can see from the configuration above, I'm using the same servers for authentication and for accounting, but in the opposite order. However, my accounting info goes to the same server as my authentication requests. How do I determine why this is happening?
Also, is it possible to get command accounting to include show and enable commands?
Oh, yeah ... FWSM is 3.1(15) and ACS SE is 4.2.0.124.
Thanks.
Larry Owen