Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

The user is unable to log user information in Cisco Secure ACS for Windows in RADIUS accounting logs for VPN Clients that terminate on the PIX 500 series Firewall



This document describes the issue where user is not able to get accounting logs.


What is Accounting?


AAA stands forAuthentication,Authorization,Accounting:


When an user enter his credentials the process happens in below mentioned way:


Authentication enables a way to identifying user, by making the user to enter valid credentials before access is granted. This process is based on criteria that every user have a unique set of conditions to fulfill inorder to gain access. AAA server checks the user's credentials stored in a database.User receives access to the network when the credential matches. If the credentials mismatch then the process of authentication fails and access to network is denied.


After authentication, user needs to gain authorization so that he/she could perform necessary tasks. Once the user gains access to a system, he/she might try running some commands. Here the process of authorization decides, is user authorized to run commands?

Authorization may be defined as the process where policies are enforced. This process determines:

  • What is the nature of activity
  • Resources provided to user
  • Services provided to user


When AAA is working Authorization follows authentication. Once the user is authenticated,authorization is checked which might be of different type for different level.


In the end Accounting from "AAA" starts the process of providing logs of the activites done by the user. Accounting logs the:

  • Session statistics
  • Usage information: later the information received through "Usage Information" is utilized for control, billing, Trend analysis
  • Utilization of Resources
  • Capacity planning activities



Core issue


RADIUS accounting for VPN Clients that terminate on PIX version 6.3 and earlier is currently not supported with Cisco Secure Access Control Server (ACS) for Windows. You can only log the information of the pass-through traffic on PIX versions later than 6.3.



The PIX does not account for the management traffic. It can send the information regarding authentication but not for the RADIUS accounting on ACS for Windows.
This is a limitation of PIX versions 6.3 and earlier, not of ACS for Windows. A feature request has been filed for this. However, no workaround is yet available.
For more information on the feature request, refer to Cisco bug ID CSCdu01327.