Hi,

I have Cisco ACS 3.3. I have a PIX 525, version 6.3(5). I have the PIX authenticating in TACACS, configured on the ACS box.

But, the PIX logons don't appear in TACACS Accounting Log on the ACS box. I have a 6509 (catOS), and a 3745 (IOS 12.3) doing TACACS authentication off the ACS box - for the 6509 & 3745, logon events DO appear in TACACS accounting log on the ACS box.

PIX logons DO appear in the Passed Authentications log in ACS.

Further, I would like to get commands done on the PIX to be logged on the ACS box. I've achieved this with the 6509 & the 3745.

I checked out "aaa accounting ..." on the PIX box. Did this :

aaa acc include telnet inside 0 0 TACACS+

Managed to log a user making a telnet connection to the outside (which is what documentation seemed to be saying, but one can hope...)

Here's the relevant part of PIX running-config (w/out the aaa accoun... command from above - took it out since it didn't work) :

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server TACACS+ (inside) host 10.10.1.231 <key> timeout 10

aaa-server LOCAL protocol local

aaa authentication telnet console TACACS+

In ACS, Interface Configuration, TACACS+ (Cisco), TACACS+ Services, I have check marks on PPP IP, Shell (exec), and PIX Shell (pixshell).

I looked in ACS for other things that might not be enabled, but couldn't recognize anything else as relevant.

Help?