AAA, PIX, and audit tracking

dladen · ‎03-12-2003

I would to be able to have an audit trail for all changes to our firewall. I have setup the PIX to use aaa for authentication. Commands associated with the user ID are sent to the syslog server until I provide the enable password. Afterwards, all commands are associated with the enable_15.

If I configure TACACS to allow enable access, I can get enable access and the user name is associated with the commands.

Can I have the user name associated with a command in syslog but use the generic enable command? I have PIX6.2.2 and ACS2.6. I used "Cisco - Authentication and Command Authorization for PIX 6.2" as a reference setting this up.

b.hsu · ‎03-18-2003

I don't think it's possible to hide the previlege level form the user... at least I do not know of ways of doing this. The user can always issue the 'show curpriv' command and figure out his/her privelege level.

dladen · ‎03-18-2003

Thanks for the info but that is not what I am trying to do.

If I enter the command aaa authentication telnet console TACSERVER, a remote user needs an TACACS id and password to get line access. The enable password is used to get enable access. In the syslog server, I can see the activities of the user until they run the enable command. All privledge 15 command are associated with user enable_15. I would like the user to use the enable password but still have the syslog information associated with there ID.

If I enter the command aaa authentication enable console TACSERVER, I can have the user gain enable access with a password from the TACACS server. In this configuration, all privledge 15 commands are assoicated wtih the user name. This works and will probably be what I implement but I was hoping to use a generic enable password.

Thanks