Re: HTTP Authentication on PIX - Syslog

shane · ‎05-04-2004

I have Pix 515 running 6.3.3. I am authenticating my users on port 80 to a windows 2000 active directory. I am capturing the data in a syslog but it does not send what username they entered. It only records IP address. Is there a way to capture who logs in by user name in Syslog.

ehirsel · ‎05-05-2004

You need to setup aaa accounting as well. It is done similar to defining a tacacs/radius server for user authentication. The user id, source and dest ip address info is sent in the accounting packet.

dthompson · ‎05-05-2004

So when you turn on AAA accounting it will send the http request with the username and the destination of where these people are going on the internet to a syslog server?

I assumed that the aaa accounting packet was in a TACACS or Radius packet not the syslog information.

ehirsel · ‎05-05-2004

The aaa accounting info will not be sent to the syslog server; only the aaa server. You may need to merge the info together - since most of it is redundant the aaa accounting info may be all that you need as it contains timestamps as well.

Amin-Al · ‎05-11-2004

Yes, you can see the user authentication in the syslog messages. Just make sure you set the syslog level to the right one (I think informational).

Amin