cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
644
Views
6
Helpful
4
Replies

PIX6.3.5, ACS4.1, TACACS Administration EMPTY

pslavkovsky
Level 1
Level 1

Hi,

I have configured authentication and authorization on PIX6.3.5, I use Cisco ACS4.1, but I do not have executed commands in "TACACS administration" log.

Can you help me?

Thanks

Peter

4 Replies 4

Jagdeep Gambhir
Level 10
Level 10

Command accounting logs are stroed in tacacs administration logs. Also there is a known issue on ver 4.1.1 and we need to apply patch ACS 4.1.1.23.5 to fix the issue.

Patch for appliance is available on

http://www.cisco.com/cgi-bin/tablebuild.pl/acs-soleng-3des

Patch name : ACS SE 4.1.1.23.5 accumulative patch

Patch for acs windows is available on

http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-3des

Patch Name : ACS 4.1.1.23.5 accumulative patch

Regards,

~JG

Do rate helpful posts

Thanks, I have patch applied.

It looks like is a problem of PIX configuration, I did not find relevant accounting command for PIX 6.3.5

Peter

Peter,

On pix 6.x version aaa accounting for management traffic cannot be configured and only accounting for pass through traffic is supported.

However, aaa accounting for management traffic as well as pass through traffic is supported on pix 7.x.

Regards,

~JG

Hi JG,

I configured AAA Authentication & authorization in firewall but it works only for local username/password. PIX version 7.2(2) and ACS-SE 4.1.

Following is my configuration

XXX-PIX515(config)# sh run aaa-server

aaa-server VPN protocol radius

accounting-mode simultaneous

aaa-server VPN host 172.20.20.11

key XXXX

aaa-server VPN host 172.20.20.12

key XXXX

aaa-server my-group protocol tacacs+

aaa-server my-group host 172.20.20.11

key XXX

aaa authentication telnet console my-group LOCAL

aaa authentication enable console my-group LOCAL

aaa authorization command my-group LOCAL

aaa accounting command privilege 15 my-group

Note: Also I have RADIUS as same ACS for my VPN access and I add it as RADIUS client with different key. Moreover I could not see any failed logs on ACS. It works fine with local authorization.

Can you tell me why I cant authenticate and authorize with TACACS+ server.

Thanks in advance

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: