Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX6.3.5, ACS4.1, TACACS Administration EMPTY

Hi,

I have configured authentication and authorization on PIX6.3.5, I use Cisco ACS4.1, but I do not have executed commands in "TACACS administration" log.

Can you help me?

Thanks

Peter

4 REPLIES

Re: PIX6.3.5, ACS4.1, TACACS Administration EMPTY

Command accounting logs are stroed in tacacs administration logs. Also there is a known issue on ver 4.1.1 and we need to apply patch ACS 4.1.1.23.5 to fix the issue.

Patch for appliance is available on

http://www.cisco.com/cgi-bin/tablebuild.pl/acs-soleng-3des

Patch name : ACS SE 4.1.1.23.5 accumulative patch

Patch for acs windows is available on

http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-3des

Patch Name : ACS 4.1.1.23.5 accumulative patch

Regards,

~JG

Do rate helpful posts

New Member

Re: PIX6.3.5, ACS4.1, TACACS Administration EMPTY

Thanks, I have patch applied.

It looks like is a problem of PIX configuration, I did not find relevant accounting command for PIX 6.3.5

Peter

Re: PIX6.3.5, ACS4.1, TACACS Administration EMPTY

Peter,

On pix 6.x version aaa accounting for management traffic cannot be configured and only accounting for pass through traffic is supported.

However, aaa accounting for management traffic as well as pass through traffic is supported on pix 7.x.

Regards,

~JG

New Member

Re: PIX6.3.5, ACS4.1, TACACS Administration EMPTY

Hi JG,

I configured AAA Authentication & authorization in firewall but it works only for local username/password. PIX version 7.2(2) and ACS-SE 4.1.

Following is my configuration

XXX-PIX515(config)# sh run aaa-server

aaa-server VPN protocol radius

accounting-mode simultaneous

aaa-server VPN host 172.20.20.11

key XXXX

aaa-server VPN host 172.20.20.12

key XXXX

aaa-server my-group protocol tacacs+

aaa-server my-group host 172.20.20.11

key XXX

aaa authentication telnet console my-group LOCAL

aaa authentication enable console my-group LOCAL

aaa authorization command my-group LOCAL

aaa accounting command privilege 15 my-group

Note: Also I have RADIUS as same ACS for my VPN access and I add it as RADIUS client with different key. Moreover I could not see any failed logs on ACS. It works fine with local authorization.

Can you tell me why I cant authenticate and authorize with TACACS+ server.

Thanks in advance

388
Views
6
Helpful
4
Replies
CreatePlease to create content