Command accounting in PIX

Similar Messages

• Command Accounting Failure on my PIX

  Hi,
  I am configuring my PIX ver 7.2(2) for command accounting using the "aaa accounting command" command but I am not able to see any accounting information on my ACS 4.1 build 23 server!
  Although authentication for this PIX is working just fine and the accounting is also working perfectly for other IOS devices, accounting for the PIX is not giving any results when browsing to the TACACS+ administration page!!
  I am posting the PIX show-tech for your referecne!
  Appreciate your support here!
  BR,
  Haitham

  Hi Rohit,
  Thank you so much, you were absolutely right. The accounting problem was due to the bug CSCsg97429 and the problem was resolved after applying the patch: applAcs-4.1.1.23.1.zip
  Thanks,
  Haitham

• Accounting on PIX

  Hello,
  Guyz, i am trying to implement ONLY accounting on PIX. The main puprose is only to log the commands/changes made on pix by users. But i am unable to find any sort of configuration which do this. i have tried capturing Telnet on local interface but it never works for PIX command logging. Can any body help here ?

  Command Accounting only came into the PIX in the recently released v7.0, so if you're not running that then forget about trying to find it anywhere.
  After upgrading to v7.0 check out the following link:
  http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/cref_txt/ab.htm#wp1329971
  FYI, v7.0 software is available here (make sure you thoroughly read and understand the upgrade guide before doing the upgrade):
  http://www.cisco.com/cgi-bin/tablebuild.pl/pix

• Unlock user account on PIX v7.0

  How do you unlock a PIX local database user account in PIX v7? You can set the account to lock after a set number of failed password attempts, but I can’t seem to unlock the account. From the CLI, you can display the number of failed attempts and when the account was locked. There doesn’t seem to be a command to unlock the account; the only fix I have is to delete the account then recreate it

  clear aaa local user lockout {username name | all}
  http://www.cisco.com/en/US/products/ps6120/products_command_reference_chapter09186a008045277a.html#wp1912560

• Command accounting w/ RADIUS

  Not having much luck getting this to work and searching the forums here everybody seems to say it is not possible unless TACACS+ is used. Is this still the case? I see the AAA/ACCT/CMD in the debug on the local switch but the RADIUS server never receives the data string except for the authentication entry.
  Any way to re-classify the AAA/ACCT/CMDs and send in a syslog trap/log?
  Looking for creative solutions here, TACACS+ is not available in this case.
  Thanks

  Hi,
  Unfortunately you can not log any AAA information to syslog.
  Now you may ask why IOS CLI allows to configure command accounting via RADIUS when it is not supported. Well, this is indeed an IOS caveat which is described in CSCdp57020 'parser should not show radius as an aaa accounting commands option' and resolved in 12.2 based IOS trains (ref. Bug Toolkit on Cisco.com).
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?caller=pluginredirector&method=fetchBugDetails&bugId=CSCdp57020
  Regards,
  ~JG
  Do rate helpful posts

• Command Accounting & Logging on ISE

  Hi Guys,
  Does ISE support Commands Accounting and logging on network devices.
  Thanks,
  Muayad Jallad,

  The Cisco Systems implementation of RADIUS does not support command accounting. TACACS does support it, ISE with TACACS is expected in 2.0 release which is in roadmap.

• Command accounting for SNMP config

  We can use TACACS+ and ACS to do the command accounting for EXEC shell commands executed. But what abount configuration changed by SNMP set? How to find out which OIDs set by NMS tools?
  Thanks!

  Well radius accounting is supported on ACS so if your aaa client is accounting the commands, then they will appear on ACS without problem.

• Command Accounting

  Hi,
  Is there any way to enable command accounting except TACACS ?.

  Command accounting is a feature of TACACS and is not supported by any other protocol.
  Regards,
  ~JG

• Command accounting with ACS

  HOw can I achive command accounting via acs I have configured devices as below but no luck
  aaa accounting exec aaa-list start-stop group bwaaa
  aaa accounting commands 1 aaa-list start-stop group bwaaa
  aaa accounting commands 15 aaa-list start-stop group bwaaa
  aaa accounting system default start-stop group bwaaa
  any idea about it

  Hi, I am using 4.2 version appliance. I am using tacacs+ u can s below config for your reference
  aaa new-model
  aaa group server tacacs+ bwaaa
  server 10.2.6.1
  server 10.2.6.2
  ip tacacs source-interface Vlan1111
  aaa authentication login aaa-list group bwaaa local
  aaa authentication enable default group bwaaa enable
  aaa authorization exec aaa-list group bwaaa local
  aaa accounting exec aaa-list start-stop group bwaaa
  aaa accounting commands 1 aaa-list start-stop group bwaaa
  aaa accounting commands 15 aaa-list start-stop group bwaaa
  aaa accounting system default start-stop group bwaaa
  aaa session-id common
  tacacs-server host 10.2.6.1 timeout 25
  tacacs-server host 10.2.6.2 timeout 25
  tacacs-server timeout 25
  tacacs-server directed-request
  tacacs-server key cisco123

• Command Accounting on MDS

  Is Command Accounting available on MDS 9216.
  We use Command Accounting on our Catalyst Switches to capture the commands entered on the switches for auditing purposes. Entered commands on the Catalyst switches are captured on Cisco ACS server and we can see who has done what under the "TACACS Administration" logs of ACS. Is this feature available on MDS switches as well.

  Command accounting is available on the MDS platform as well. This could utilize the same TACACS+ backend you have for your Catalyst network.
  You also will have very detailed control over who has access to what commands with Roles Based Access Control.
  Dan

• CSCtg09895 - percentMGBL-exec-3-ACCT_ERR main: command accounting failed

  Dear fellows,
  I am facing below problem in one of ASR 9010 router while configuring .  I am unable to config anything after entering any command this error shows up 
  RP/0/RSP0/CPU0:hostname(config)#interface TenGigE0/1/0/0
  RP/0/RSP0/CPU0:Jan 15 12:48:41.186 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed -  - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
  RP/0/RSP0/CPU0:(config-if)# description # TO-Remote_site
  RP/0/RSP0/CPU0:hostname(config-if)#RP/0/RSP0/CPU0:Jan 15 12:48:41.263 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed -  - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
  RP/0/RSP0/CPU0:hostname(config-if)#commit
  Thu Jan 15 12:48:50.521 IST
  RP/0/RSP0/CPU0:Jan 15 12:48:50.521 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed -  - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
  it is not allowing even to commit any change
  and unable to find any online solutions for this.
  please help
  following packages are active right now
   disk0:asr9k-doc-px-4.3.4
      disk0:asr9k-fpd-px-4.3.4
      disk0:asr9k-k9sec-px-4.3.4
      disk0:asr9k-mcast-px-4.3.4
      disk0:asr9k-mgbl-px-4.3.4
      disk0:asr9k-bng-px-4.3.4
      disk0:asr9k-mini-px-4.3.4
      disk0:asr9k-mpls-px-4.3.4

  it is a fresh installation and the device is not connnected to ny network yet. 
  I am facing below problem in one of ASR 9010 router while configuring .  I am unable to config anything after entering any command this error shows up
  RP/0/RSP0/CPU0:hostname(config)#interface TenGigE0/1/0/0
  RP/0/RSP0/CPU0:Jan 15 12:48:41.186 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed -  - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
  RP/0/RSP0/CPU0:(config-if)# description # TO-Remote_site
  RP/0/RSP0/CPU0:hostname(config-if)#RP/0/RSP0/CPU0:Jan 15 12:48:41.263 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed -  - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
  RP/0/RSP0/CPU0:hostname(config-if)#commit
  Thu Jan 15 12:48:50.521 IST
  RP/0/RSP0/CPU0:Jan 15 12:48:50.521 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed -  - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
  it is not allowing even to commit any change
  and I am unable to find any online solutions for this.
  please help
  following packages are active right now
  disk0:asr9k-doc-px-4.3.4
      disk0:asr9k-fpd-px-4.3.4
      disk0:asr9k-k9sec-px-4.3.4
      disk0:asr9k-mcast-px-4.3.4
      disk0:asr9k-mgbl-px-4.3.4
      disk0:asr9k-bng-px-4.3.4
      disk0:asr9k-mini-px-4.3.4
      disk0:asr9k-mpls-px-4.3.4
  PS: please tell what more output are needed so that this problem can be solved.

• Commands accounting.

  Hello.
  I'm using this configuration for commands accounting with Cisco Secure ACS. When the first server fails, the second AAA server doesn't report any accounting records in T+ Administration, using the broadcast keyword also.
  Many thanks for suggestions.
  Regards.
  Andrea
  aaa new-model
  aaa group server tacacs+ CiscoSecureACS
  server 10.4.44.74
  server 10.4.44.75
  aaa authentication login default group CiscoSecureACS local
  aaa authentication enable default group CiscoSecureACS enable
  aaa authorization console
  aaa authorization config-commands
  aaa authorization exec default group CiscoSecureACS local
  aaa accounting send stop-record authentication failure
  aaa accounting exec default start-stop group CiscoSecureACS
  aaa accounting commands 15 default start-stop group CiscoSecureACS
  aaa accounting connection default start-stop group CiscoSecureACS
  tacacs-server host 10.4.44.74 single-connection timeout 5
  tacacs-server host 10.4.44.75 single-connection timeout 5
  tacacs-server directed-request

  Using some debug and log I can verify that AAA server receives the accounting packet and replies but doesn't record it on file.
  Any ideas?
  Thanks.
  Andrea

• ACS command Authorization on PIX Console

  I have configured the pix firewall for ACS authentication and command authorization, everything is working fine
  aaa-server TACACS+ protocol tacacs+
  aaa-server TACACS+ (inside) host 172.28.x.x x.x.x
  aaa-server TACACS+ (inside) host 172.28.x. xx
  aaa authentication ssh console TACACS+ LOCAL
  aaa authentication serial console LOCAL
  aaa authentication enable console TACACS+ LOCAL
  aaa authorization command TACACS+
  aaa accounting command privilege 15 TACACS+
  aaa accounting enable console TACACS+
  but porblem is that i dont wana have ACS authentication while connecting with console. In case of emergency when
  ACS down, i wana to get console and access the device by using local username and password
  but now after this configuration when i try to access the firewall via console, i m getting error of
  command authorization fail.
  I dont wana have any command authorization while connected with console, Please tell me how to resolve this issue
  I have made the command authorization set in ACS and it is working fine for me,

  kindly once again check my modified configuration,
  I wanted to use this option in case, ACS goes down and i can console my firewall and but it is not working fine me.
  aa-server TACACS+ protocol tacacs+
  aaa-server TACACS+ (edn) host 172.28.31.132
  aaa-server TACACS+ (edn) host 172.28.31.133
  aaa authentication ssh console TACACS+ LOCAL
  aaa authentication enable console TACACS+ LOCAL
  aaa authentication serial console LOCAL
  aaa authentication http console LOCAL
  aaa authorization command TACACS+ LOCAL
  aaa accounting command privilege 15 TACACS+
  aaa accounting enable console TACACS+
  but i m not able to login i m getting following eror
  Command authorization failed
  TDC-INT-525-01> exit
  Command authorization failed
  TDC-INT-525-01> exit
  Command authorization failed
  TDC-INT-525-01> enable
  Command authorization failed
  i also defined the local command authorization set like this
  privilege cmd level 15 mode exec command exit
  privilege show level 5 mode exec command running-config
  privilege show level 15 mode exec command version
  privilege show level 0 mode exec command access-list
  privilege show level 0 mode configure command access-list
  privilege cmd level 15 mode configure command exit
  privilege cmd level 15 mode configure command no
  privilege cmd level 0 mode configure command access-list
  privilege cmd level 15 mode interface command exit
  privilege cmd level 15 mode subinterface command exit
  privilege cmd level 15 mode dynupd-method command exit
  privilege cmd level 15 mode trange command exit
  privilege cmd level 15 mode route-map command exit
  privilege cmd level 15 mode router command exit
  privilege cmd level 15 mode ldap command exit
  privilege cmd level 15 mode aaa-server-host command exit
  privilege cmd level 15 mode aaa-server-group command exit
  privilege cmd level 15 mode context command exit
  privilege cmd level 15 mode group-policy command exit
  privilege cmd level 15 mode username command exit
  privilege cmd level 15 mode tunnel-group-general command exit
  privilege cmd level 15 mode tunnel-group-ipsec command exit
  privilege cmd level 15 mode tunnel-group-ppp command exit
  privilege cmd level 15 mode mpf-class-map command exit
  privilege cmd level 15 mode mpf-policy-map command exit
  privilege cmd level 15 mode mpf-policy-map-class command exit
  privilege cmd level 15 mode mpf-policy-map-class command exit
  privilege cmd level 15 mode mpf-policy-map-param command exit
  Please tell me how to solve this problem

• Command Authotization on Pix 6.3 and ACS v3.3

  Hi,
  I am researching on how to enable command authorization on a pix firewall software v6.3 through an ACS v3.3.
  I only have a production unit so i am very cautious on doing test configuration on the firewall. I might get locked-up and kicked in the butt. =)
  Inputs on the step-by-step configuration of ACS and pix would be greatly appreciated.
  Thanks in advance!
  Jonathan

  Hi
  On the ACS side, the config you choose very much depends on the scale of your deployment.
  If you have one or two users, you can define per-user command authorisation within ACS.
  If you have many users, you should do this at group level.
  Moving on, if you have many devices you can look at creating pixshell command sets and grouping the devices into Network Device Groups (NDGs). Within each group you then map from NDGs to command sets.
  This gives the functionality of an RBAC (Role Based Access Control) server. Where a member of a group has a certain role with associated rights based on what NDG being configured.
  You may also want to use NARs to prevent certain admins even being able to logon to the device.
  So the first job is to scope your deployment and figure out what level of config (and hence complexity) is required in ACS.
  Then get a copy of extraxi aaa-reports! to audit your ACS logs :)
  Darran

• TACACS Command accounting

  HI
  We configured accoutnig in our network devices.But the commands users are typing is not showing in TACACS+ Accounting section.We r using ACS 4.1se and commands for accounting in devices are given below.
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  Please help

  Command accounting logs are stored in tacacs administration logs. Also there is a known issue on ver 4.1.1 and we need to apply patch ACS 4.1.1.23.5 to fix the issue.
  Patch for appliance is available on
  http://www.cisco.com/cgi-bin/tablebuild.pl/acs-soleng-3des
  Patch name : ACS SE 4.1.1.23.5 accumulative patch
  Patch for acs windows is available on
  http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-3des
  Patch Name : ACS 4.1.1.23.5 accumulative patch
  Regards,
  ~JG
  Do rate helpful posts