04-17-2009 12:39 AM - edited 03-10-2019 04:26 PM
Hi All,
I am having a problem with implementing TACACS+ on the FWSM 3.1(11). The issue is, I can add the command "aaa accounting command privilage 15 group-name" but after adding i cannot see the username from the ACS server. The username displayed is "enable_15" but actually we are using RSA token to login to the FWSM.The RSA username is in the local database of the ACS.Also i cannot see any "show" commands that i have typed in the FWSM from the ACS.
The version of the ACS is v3.3. and the version of the FWSM is 3.1(11.
Anyone please help me....THanks a lot...
04-20-2009 02:37 AM
1. are you in ena15 mode directly after login with your username on the fwsm ?
2. if you have to do a seperate "ena" login, after your user login, its normal that you only have the "enable_15" user in accounting
3. you can also check what username appears, if you make changes via the asdm, there it should be your asdm username
I run in the same problem, but cannot find a working tacacs profile to get my user directly in ena15 mode after login.
04-20-2009 05:24 AM
Isn't there an accounting bug? with this version and in 4.1?
04-20-2009 06:56 AM
i am not sure if the problem is really an accounting bug.
In my opinion, the accounting works fine, its more a design problem.
if you login, you are not in ena15 mode.
you have to change via "ena" in ena 15 mode and then the user is "enable_15", which is logged in the accounting file
04-20-2009 12:32 PM
correct.
I ran into the problems once that account did not get recorded in ver ACS 4.1, but did on 4.2
The packets hit the servers interface but never made it into the file on the harddrive.
I will sugguest that you uses the lateest ACS version.
04-21-2009 12:15 AM
sorry guys, we have NO problem forced by an accounting bug in this request.
we DO NOT talk about, that records will not be accounted.
we talk about, that records are accounted, but in the accoutning record is everytime the username "enable_15"
04-21-2009 12:56 PM
Hi ,
If you want accounting to associate the username with commands (rather than simply username of enable15), you'll need this command:
aaa authentication enable console TACACS+
Regards,
~JG
Do rate helpuful posts
04-21-2009 01:00 PM
Firewall logs only those command that changes the configuration of firewall.
so Show command will not show up but if you make any changes that would surely be logged.
This is by design.
04-21-2009 01:03 PM
Firewall do not support exec authorization so there is no way you can fall directly to enable mode.
http://www.ciscotaccc.com/security/showcase?case=K25224726
Regards,
~JG
Do rate helpful posts
04-21-2009 11:22 PM
in bug K25224726 they only talk about asa.
is it the same issue for fwsm or is there another bugid existing for fwsm ?
I dont think if the problem in asa OS will be fixed it will also be done for the fwsm OS
04-22-2009 01:23 AM
This issue exists all Pix, ASA & FWSM.
04-22-2009 02:47 AM
is there an existing bug ID, which could be tracked ?
Or in which Releases it should be implemented ?
04-27-2009 08:44 PM
Hi JG,
Do you have any Cisco documents stating that "show" commands wont logged in to ACS accounting file? If you have please give me the link.
Appreciate your help.
Sub
04-22-2009 06:08 PM
Hi Jg,
Thanks a million for your valued comments. I will implement the above AAA command and will let you know the results.
By the way,do you know any Cisco documents that states that only config commands on FWSM will be logged to ACS? The reason is that i can then answer the Customer with this supporting document.
Thanks a lot for your help..
Subu
04-27-2009 08:37 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide