Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2469
Views
0
Helpful
7
Replies

AAA Command Accounting on PIX

bnidacoc
Level 1
Level 1

‎11-20-2001 11:11 AM - edited ‎02-21-2020 09:58 AM

On our routers we can perform user command accounting. For example, we can get a log of the commands users enter in the routers from our ACS box.

I haven't been successful in doing the same on the PIX. Instead, I've gotten all IP and and layer-4 Port accivity in the logs. This is not what I want.

How can I get the accounting feature working to track the configuration changes made on our PIX? Help, URLs would be greatly appreciated.

Thanks

Labels:
0 Helpful
7 Replies 7

mpalardy
Level 3
Level 3

‎11-23-2001 06:37 AM

Same problem here with PIX's. No way to log accounting with tacacs.

Have you tried Private-I and run the report "PIX configaration changes"

0 Helpful

bnidacoc
Level 1
Level 1
In response to mpalardy

‎11-26-2001 07:29 AM

Private-I? I've not heard of that.

I sure wish Cisco would reply to this.

0 Helpful

k.poplitz
Level 3
Level 3
In response to bnidacoc

‎11-27-2001 02:25 PM

Private I is a great software product published by one of Cisco's partners Open Systems www.opensystems.com. You can download an eval copy from there.

It's functionality and reporting features are far superior to any other product on the market. You should check it out.

0 Helpful

bnidacoc
Level 1
Level 1
In response to k.poplitz

‎11-28-2001 05:35 AM

Thanks

Looks like a nice product. It may be usefull as a supplimental product to existing.

But it doesn't look like it is going to do tacacs+ accounting of configuration changes, most importantly, WHO has made what changes to the configuration. This is done easily on IOS routers and Ciscosecure ACS and commands for accounting are available on in the PIX OS.

0 Helpful

gbbromley
Level 1
Level 1

‎11-28-2001 08:57 AM

Don't know if this would help, however:

"The aaa authentication [serial | telnet | ssh] console command allows you to require authentication verification to access the PIX Firewall unit via serial cable, telnet or ssh. The console options also logs to a syslog server changes made to the configuration."

Never tried it, maybe it will do what you want. I'll give it a try tonight and let you know ;)

0 Helpful

jekrauss
Level 1
Level 1

‎11-28-2001 09:20 AM

As the previous poster mentioned, the configuration commands can be viewed in the syslog. The pix does not currently send accounting packets to the ACS server for administration of the pix.

This is scheduled to be implemented in version 6.2, along with command authorization.

HTH

Jeff

0 Helpful

bnidacoc
Level 1
Level 1
In response to jekrauss

‎11-28-2001 09:47 AM

Good!!! I can't wait. We were already desiring to go to 6.1.x (?) for the port redirection feature, so this will be an additional reason for an upgrade.

Thanks

0 Helpful
Customers Also Viewed These Support Documents