02-11-2007 07:02 PM - edited 03-10-2019 02:58 PM
Hi,
I'm trying to understand what the following command would do:
"aaa accounting include tcp/0 inside 1.1.1.1 255.255.255.255 2.2.2.2 255.255.255.255 TACACS+"
(1.1.1.1 is any old host, 2.2.2.2 is the PIX)
I think I get "include" (create a new rule) & "tcp/0" (the rule specifies all tcp ports).
But 1.1.1.1 (which pix ios 6.3 doc calls local_ip -"host or network of hosts that you want to be authenticated or authorized") - I think that would be the clients. Is that right?
And 2.2.2.2 (called foreign_ip) is not clear at all - The doc calls this foreign_ip - "hosts you want to access the local_ip address". Given that I've defined 2.2.2.2 as the PIX, this seems to have the PIX accessing the clients. Yet if I flip the IP addresses, I get the PIX being the box I want to have authenticated, which also doesn't seem right...
Probably I'm completely missing what circumstances this would be used for. On my network, so far all we use AAA for is logging telnet access into devices, and logging the commands that are executed on the devices, but I know AAA is also used to allow users access to various things...
(the doc I'm looking at is http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a3.html#wp1073208)
TIA - Linnea
Solved! Go to Solution.
02-12-2007 03:21 PM
You got it!
02-12-2007 07:39 AM
Hi,
First...
aaa accounting is used with aaa authentication.
With aaa authentication include any inside (your inside host/mask) 0 0 tacacs+, all outgoing connection will be authenticated. local_IP is the source, foreign_IP is the destination.
Authentication will trigger with telnet,ssh,ftp,http and https traffic.
You can log with accounting the session data of authenticated user with the aaa accounting command. Use the same source,destination as the authentication command.
aaa accounting work only for http,https and ftp connections. (only those will be sent to the tacacs server)
02-12-2007 02:27 PM
Hi Dominic,
Thanks.
This is what I get from your information:
There are 3 entities - Source, Destination, and, in between them, a device configured to do AAA.
Is that right?
If so, and the "between" device is a PIX, the foreign IP would NOT be the address of the PIX itself. Right?
02-12-2007 03:21 PM
You got it!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide