I am having a problem with implementing TACACS+ on the FWSM 3.1(11). The issue is, I can add the command "aaa accounting command privilage 15 group-name" but after adding i cannot see the username from the ACS server. The username displayed is "enable_15" but actually we are using RSA token to login to the FWSM.The RSA username is in the local database of the ACS.Also i cannot see any "show" commands that i have typed in the FWSM from the ACS.
The version of the ACS is v3.3. and the version of the FWSM is 3.1(11.
Anyone please help me....THanks a lot...
1. are you in ena15 mode directly after login with your username on the fwsm ?
2. if you have to do a seperate "ena" login, after your user login, its normal that you only have the "enable_15" user in accounting
3. you can also check what username appears, if you make changes via the asdm, there it should be your asdm username
I run in the same problem, but cannot find a working tacacs profile to get my user directly in ena15 mode after login.
i am not sure if the problem is really an accounting bug.
In my opinion, the accounting works fine, its more a design problem.
if you login, you are not in ena15 mode.
you have to change via "ena" in ena 15 mode and then the user is "enable_15", which is logged in the accounting file
I ran into the problems once that account did not get recorded in ver ACS 4.1, but did on 4.2
The packets hit the servers interface but never made it into the file on the harddrive.
I will sugguest that you uses the lateest ACS version.
sorry guys, we have NO problem forced by an accounting bug in this request.
we DO NOT talk about, that records will not be accounted.
we talk about, that records are accounted, but in the accoutning record is everytime the username "enable_15"
If you want accounting to associate the username with commands (rather than simply username of enable15), you'll need this command:
aaa authentication enable console TACACS+
Do rate helpuful posts
Firewall logs only those command that changes the configuration of firewall.
so Show command will not show up but if you make any changes that would surely be logged.
This is by design.
Firewall do not support exec authorization so there is no way you can fall directly to enable mode.
Do rate helpful posts
in bug K25224726 they only talk about asa.
is it the same issue for fwsm or is there another bugid existing for fwsm ?
I dont think if the problem in asa OS will be fixed it will also be done for the fwsm OS
Do you have any Cisco documents stating that "show" commands wont logged in to ACS accounting file? If you have please give me the link.
Appreciate your help.
Thanks a million for your valued comments. I will implement the above AAA command and will let you know the results.
By the way,do you know any Cisco documents that states that only config commands on FWSM will be logged to ACS? The reason is that i can then answer the Customer with this supporting document.
Thanks a lot for your help..
Here is the bug,
Please rate helpful post