cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

ASA accounting

mickyq
Beginner
Beginner

Ive setup accounting with ACS 5.3 so I can see when an admin logs in. This level uses AD for authentication.

When going to enable mode it uses the local account and the username changes to enable_15 in the logs. is there any way to retain the original username when using enable command.

3 REPLIES 3

Gagandeep Singh
Cisco Employee
Cisco Employee

This happens when we have command authorization enabled on ASA and try to run any level 15 commands on ASA.

Would suggest to execute this command on the ASA:

aaa authentication enable console LOCAL

Regards

Gagan

ps : rate as correct if it helps!!!!

Hi Gagan

Thanks for your reply.

I tried that but it denies access at enable login.

here is the aaa config

aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (inside) host ACS1
aaa-server RADIUS protocol radius
aaa-server VPNINBOUND protocol radius
aaa-server VPNINBOUND (inside) host ACS1
aaa-server VPNINBOUND (inside) host ACS2
aaa authentication http console VPNINBOUND
aaa authentication telnet console VPNINBOUND
aaa authentication ssh console VPNINBOUND LOCAL
aaa accounting enable console TACACS+
aaa accounting ssh console TACACS+
aaa accounting command TACACS+

Thanks

Hello Michael-

Are you returning the proper attributes with the Authorization Profile in ACS? You need to set the privilege level in the authorization profile in order for this to work. Here is what I have on my end:

priv-lvl=15
max_priv_lvl=15

Here is also a snipit from my ASA configs (you can ignore the authorization portion unless you want to do authorization on your end as well).

sh run aaa
aaa authentication ssh console NS-TACACS LOCAL
aaa authentication enable console NS-TACACS LOCAL
aaa authentication telnet console NS-TACACS LOCAL
aaa authentication http console NS-TACACS LOCAL
aaa authentication serial console NS-TACACS LOCAL
aaa authorization command NS-TACACS LOCAL
aaa accounting enable console NS-TACACS
aaa accounting serial console NS-TACACS
aaa accounting ssh console NS-TACACS
aaa accounting telnet console NS-TACACS
aaa accounting command privilege 15 NS-TACACS
aaa authorization exec authentication-server auto-enable

I hope this helps!

Thank you for rating helpful posts!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: