Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

TACACS+ accounting issues on FWSM 3.1(11)

Hi All,

I am having a problem with implementing TACACS+ on the FWSM 3.1(11). The issue is, I can add the command "aaa accounting command privilage 15 group-name" but after adding i cannot see the username from the ACS server. The username displayed is "enable_15" but actually we are using RSA token to login to the FWSM.The RSA username is in the local database of the ACS.Also i cannot see any "show" commands that i have typed in the FWSM from the ACS.

The version of the ACS is v3.3. and the version of the FWSM is 3.1(11.

Anyone please help me....THanks a lot...

15 REPLIES
New Member

Re: TACACS+ accounting issues on FWSM 3.1(11)

1. are you in ena15 mode directly after login with your username on the fwsm ?

2. if you have to do a seperate "ena" login, after your user login, its normal that you only have the "enable_15" user in accounting

3. you can also check what username appears, if you make changes via the asdm, there it should be your asdm username

I run in the same problem, but cannot find a working tacacs profile to get my user directly in ena15 mode after login.

New Member

Re: TACACS+ accounting issues on FWSM 3.1(11)

Isn't there an accounting bug? with this version and in 4.1?

New Member

Re: TACACS+ accounting issues on FWSM 3.1(11)

i am not sure if the problem is really an accounting bug.

In my opinion, the accounting works fine, its more a design problem.

if you login, you are not in ena15 mode.

you have to change via "ena" in ena 15 mode and then the user is "enable_15", which is logged in the accounting file

New Member

Re: TACACS+ accounting issues on FWSM 3.1(11)

correct.

I ran into the problems once that account did not get recorded in ver ACS 4.1, but did on 4.2

The packets hit the servers interface but never made it into the file on the harddrive.

I will sugguest that you uses the lateest ACS version.

New Member

Re: TACACS+ accounting issues on FWSM 3.1(11)

sorry guys, we have NO problem forced by an accounting bug in this request.

we DO NOT talk about, that records will not be accounted.

we talk about, that records are accounted, but in the accoutning record is everytime the username "enable_15"

Re: TACACS+ accounting issues on FWSM 3.1(11)

Hi ,

If you want accounting to associate the username with commands (rather than simply username of enable15), you'll need this command:

aaa authentication enable console TACACS+

Regards,

~JG

Do rate helpuful posts

Re: TACACS+ accounting issues on FWSM 3.1(11)

Firewall logs only those command that changes the configuration of firewall.

so Show command will not show up but if you make any changes that would surely be logged.

This is by design.

Re: TACACS+ accounting issues on FWSM 3.1(11)

Firewall do not support exec authorization so there is no way you can fall directly to enable mode.

http://www.ciscotaccc.com/security/showcase?case=K25224726

Regards,

~JG

Do rate helpful posts

New Member

Re: TACACS+ accounting issues on FWSM 3.1(11)

in bug K25224726 they only talk about asa.

is it the same issue for fwsm or is there another bugid existing for fwsm ?

I dont think if the problem in asa OS will be fixed it will also be done for the fwsm OS

Re: TACACS+ accounting issues on FWSM 3.1(11)

This issue exists all Pix, ASA & FWSM.

New Member

Re: TACACS+ accounting issues on FWSM 3.1(11)

is there an existing bug ID, which could be tracked ?

Or in which Releases it should be implemented ?

New Member

Re: TACACS+ accounting issues on FWSM 3.1(11)

Hi JG,

Do you have any Cisco documents stating that "show" commands wont logged in to ACS accounting file? If you have please give me the link.

Appreciate your help.

Sub

New Member

Re: TACACS+ accounting issues on FWSM 3.1(11)

Hi Jg,

Thanks a million for your valued comments. I will implement the above AAA command and will let you know the results.

By the way,do you know any Cisco documents that states that only config commands on FWSM will be logged to ACS? The reason is that i can then answer the Customer with this supporting document.

Thanks a lot for your help..

Subu

Anonymous
N/A

Re: TACACS+ accounting issues on FWSM 3.1(11)

Re: TACACS+ accounting issues on FWSM 3.1(11)

354
Views
4
Helpful
15
Replies