cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


227
Views
20
Helpful
6
Replies
Engager

AAA Accounting on Cisco ASA

hi,

i'll be configuring AAA on our FWs and need to confirm if this single command line for AAA accounting is enough to log the executed commands to ISE:

 

aaa accounting command <ISE-GROUP-NAME>

 

or just these two?

 

aaa accounting command privilege 1 <ISE-GROUP-NAME>

aaa accounting command privilege 15 <ISE-GROUP-NAME>

 

or all three lines?

 

aaa accounting command <ISE-GROUP-NAME>

aaa accounting command privilege 1 <ISE-GROUP-NAME>

aaa accounting command privilege 15 <ISE-GROUP-NAME>

 

6 REPLIES 6
VIP Advisor

Re: AAA Accounting on Cisco ASA

Hi there,

The two line option is all that is required. If you included:

!
aaa accounting command <ISE-GROUP-NAME>
!

...this will record accounting messages for the default privilege level which is 0 .

What commands does that cover?:

privilege level 0 — Includes the disable, enable, exit, help, and logout commands.

 

https://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/23383-showrun.html

 

Cheers,

Seb.

Hall of Fame Master

Re: AAA Accounting on Cisco ASA

Hi @johnlloyd_13 

 

ASA may be enabled to log administrative user activities to a TACACS+ server group by:

aaa accounting ssh console <ISE-GROUP-NAME>
aaa accounting serial console <ISE-GROUP-NAME>
aaa accounting enable console <ISE-GROUP-NAME>

Command accounting sends info about each command executed, which includes the command, the date, and the username. The following adds to the previous configuration example to enable this accounting feature:

aaa accounting command <ISE-GROUP-NAME>

This sends accounting messages for any commands, other than “show” commands. It can take an optional privilege keyword to specify the minimal privilege level; e.g. “aaa accounting command privilege 3 <ISE-GROUP-NAME>” will send command accountings for those in Level 3 or above, except for “show”.

Engager

Re: AAA Accounting on Cisco ASA

hi marvin,

it seems a number of lines just to enable AAA accounting on an ASA FW.

do you suggest i enable all these lines just to cover everything?

also, will these enable AAA accounting for changes made in a context-based FW?

aaa accounting command <ISE-GROUP-NAME>
aaa accounting command privilege 1 <ISE-GROUP-NAME>
aaa accounting command privilege 15 <ISE-GROUP-NAME>
aaa accounting ssh console <ISE-GROUP-NAME>
aaa accounting serial console <ISE-GROUP-NAME>
aaa accounting enable console <ISE-GROUP-NAME>

Highlighted
Hall of Fame Master

Re: AAA Accounting on Cisco ASA

When you're running your ASA in multiple context mode, the aaa commands should be configured within each context (admin and other user contexts). They are not used in the system execution space.

Engager

Re: AAA Accounting on Cisco ASA

hi marvin,

how about for non-context ASA FW? do i enabled ALL these AAA accounting lines?

seems like an overkill just for enabling/sending accounting commands.

aaa accounting command <ISE-GROUP-NAME>
aaa accounting command privilege 1 <ISE-GROUP-NAME>
aaa accounting command privilege 15 <ISE-GROUP-NAME>
aaa accounting ssh console <ISE-GROUP-NAME>
aaa accounting serial console <ISE-GROUP-NAME>
aaa accounting enable console <ISE-GROUP-NAME>

Hall of Fame Master

Re: AAA Accounting on Cisco ASA

Most people would just do #1 and #4.

The exhaustive list covers all use cases - whether or not they apply in your environment. Whether the firewall is operating in single or multiple context mode isn't germane.