Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

AAA Accounting

Status
Not open for further replies.

don1907

IS-IT--Management
Dec 14, 2006
33
US
I wish to setup accounting on our pix 515e firewall. We are running 6.3(3). What is the the proper aaa accounting command to get full logging to show in the ISA logs. Listed below is the aaa section on the PIX

aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server EPA-RADIUS protocol radius
aaa-server EPA-RADIUS (inside) host xxx.xxx.xx.xx p1xrad1u5 timeout 10
aaa authentication ssh console LOCAL
 
logging on
logging timestamp
logging standby
logging console critical
logging monitor debugging
logging buffered debugging
logging trap informational
logging history informational
logging queue 3000
logging host inside x.x.x.x/1468
 
I have added the following lines, and the sections on the pix looks like

logging on
logging timestamp
logging standby
logging console critical
logging monitor debugging
logging buffered debugging
logging trap informational
logging history informational
logging queue 3000

aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server EPA-RADIUS protocol radius
aaa-server EPA-RADIUS (inside) host 192.168.30.xx p1xrad1u5 timeout 10
aaa authentication ssh console LOCAL

but the ias log file shows only the connect time, no other infomation, such as IP, disconnect or time spent thru the pix vpn client
 
I see that you have aaa authentication configured, but not aaa accounting. Set that up and you should be on your way.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
What is the proper command line to use for aaa accounting? Ia am fairly new to PIX
 
I want for you to take a look at the following link. Try to get it set up for yourself and if you have problems post back and we'll help you further. Nobody learns from other people doing ;-)


I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
All our users are using VPN from the outside to resources on the LAN. Does this command make any sense.

aaa accounting include any inbound 0 0 0 0 TACACS+
 
yes. So any inbound connections from any remote host will be logged to the TACACS+ server

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
I added aaa accounting include any inbound 0 0 0 0 TACACS+ to the pix and then recieved a message
No authentication servers found!
 
IAS does radius and not TACACS. Additionally IAS doesn't support accounting only authentication. Sounds like you need ACS.
 
Unclerico please show me where it supports command accounting. Yes, it has accounting showing logoff and log on, but heck the IAS logs show that.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top