AAA Accounting on Cisco ASA

johnlloyd_13 · ‎10-03-2019

hi,

i'll be configuring AAA on our FWs and need to confirm if this single command line for AAA accounting is enough to log the executed commands to ISE:

aaa accounting command <ISE-GROUP-NAME>

or just these two?

aaa accounting command privilege 1 <ISE-GROUP-NAME>

aaa accounting command privilege 15 <ISE-GROUP-NAME>

or all three lines?

aaa accounting command <ISE-GROUP-NAME>

aaa accounting command privilege 1 <ISE-GROUP-NAME>

aaa accounting command privilege 15 <ISE-GROUP-NAME>

Seb Rupik · ‎10-03-2019

Hi there,

The two line option is all that is required. If you included:

!
aaa accounting command <ISE-GROUP-NAME>
!

...this will record accounting messages for the default privilege level which is 0 .

What commands does that cover?:

privilege level 0 — Includes the disable, enable, exit, help, and logout commands.

https://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/23383-showrun.html

Cheers,

Seb.

Marvin Rhoads · ‎10-03-2019

Hi @johnlloyd_13

ASA may be enabled to log administrative user activities to a TACACS+ server group by:

aaa accounting ssh console <ISE-GROUP-NAME>
aaa accounting serial console <ISE-GROUP-NAME>
aaa accounting enable console <ISE-GROUP-NAME>

Command accounting sends info about each command executed, which includes the command, the date, and the username. The following adds to the previous configuration example to enable this accounting feature:

aaa accounting command <ISE-GROUP-NAME>

This sends accounting messages for any commands, other than “show” commands. It can take an optional privilege keyword to specify the minimal privilege level; e.g. “aaa accounting command privilege 3 <ISE-GROUP-NAME>” will send command accountings for those in Level 3 or above, except for “show”.

johnlloyd_13 · ‎10-03-2019

hi marvin,

it seems a number of lines just to enable AAA accounting on an ASA FW.

do you suggest i enable all these lines just to cover everything?

also, will these enable AAA accounting for changes made in a context-based FW?

aaa accounting command <ISE-GROUP-NAME>
aaa accounting command privilege 1 <ISE-GROUP-NAME>
aaa accounting command privilege 15 <ISE-GROUP-NAME>
aaa accounting ssh console <ISE-GROUP-NAME>
aaa accounting serial console <ISE-GROUP-NAME>
aaa accounting enable console <ISE-GROUP-NAME>

Marvin Rhoads · ‎10-03-2019

When you're running your ASA in multiple context mode, the aaa commands should be configured within each context (admin and other user contexts). They are not used in the system execution space.

johnlloyd_13 · ‎10-03-2019

hi marvin,

how about for non-context ASA FW? do i enabled ALL these AAA accounting lines?

seems like an overkill just for enabling/sending accounting commands.

aaa accounting command <ISE-GROUP-NAME>
aaa accounting command privilege 1 <ISE-GROUP-NAME>
aaa accounting command privilege 15 <ISE-GROUP-NAME>
aaa accounting ssh console <ISE-GROUP-NAME>
aaa accounting serial console <ISE-GROUP-NAME>
aaa accounting enable console <ISE-GROUP-NAME>

Marvin Rhoads · ‎10-05-2019

Most people would just do #1 and #4.

The exhaustive list covers all use cases - whether or not they apply in your environment. Whether the firewall is operating in single or multiple context mode isn't germane.