cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2285
Views
0
Helpful
7
Replies

AAA Command Accounting on PIX

bnidacoc
Level 1
Level 1

On our routers we can perform user command accounting. For example, we can get a log of the commands users enter in the routers from our ACS box.

I haven't been successful in doing the same on the PIX. Instead, I've gotten all IP and and layer-4 Port accivity in the logs. This is not what I want.

How can I get the accounting feature working to track the configuration changes made on our PIX? Help, URLs would be greatly appreciated.

Thanks

7 Replies 7

mpalardy
Level 3
Level 3

Same problem here with PIX's. No way to log accounting with tacacs.

Have you tried Private-I and run the report "PIX configaration changes"

Private-I? I've not heard of that.

I sure wish Cisco would reply to this.

Private I is a great software product published by one of Cisco's partners Open Systems www.opensystems.com. You can download an eval copy from there.

It's functionality and reporting features are far superior to any other product on the market. You should check it out.

Thanks

Looks like a nice product. It may be usefull as a supplimental product to existing.

But it doesn't look like it is going to do tacacs+ accounting of configuration changes, most importantly, WHO has made what changes to the configuration. This is done easily on IOS routers and Ciscosecure ACS and commands for accounting are available on in the PIX OS.

gbbromley
Level 1
Level 1

Don't know if this would help, however:

"The aaa authentication [serial | telnet | ssh] console command allows you to require authentication verification to access the PIX Firewall unit via serial cable, telnet or ssh. The console options also logs to a syslog server changes made to the configuration."

Never tried it, maybe it will do what you want. I'll give it a try tonight and let you know ;)

jekrauss
Level 1
Level 1

As the previous poster mentioned, the configuration commands can be viewed in the syslog. The pix does not currently send accounting packets to the ACS server for administration of the pix.

This is scheduled to be implemented in version 6.2, along with command authorization.

HTH

Jeff

Good!!! I can't wait. We were already desiring to go to 6.1.x (?) for the port redirection feature, so this will be an additional reason for an upgrade.

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: