Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 724
  • Last Modified:

PIX - aaa accounting for config changes

How do I enable TACACS+ accounting for PIX enable-level config changes?

I know how to do this for a router:
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

But how do I do this for the PIX?

thanks,
-aprilmj
0
aprilmj
Asked:
aprilmj
  • 3
  • 2
1 Solution
 
Tim HolmanCommented:
Have you looked through this ?

http://www.cisco.com/warp/public/110/atp52.html
0
 
aprilmjAuthor Commented:
I couldn't make it work, so I called the TAC.

Bad news.

"The PIX firewall only supports accounting for sessions going through the PIX, or "through traffic".  It does not support accounting for admin sessions directly to the PIX.  If you want this ability, I recommend submitting a feature request with your account team.  Please let me know if you have any further questions, otherwise I will close out this case by close of business today."
0
 
Tim HolmanCommented:
Not natively, but you can enable accounting with external RADIUS and TACACS+ servers, so not sure what they're on about ?

0
 
aprilmjAuthor Commented:
Accounting *only* works for traffic passing through the pix...
you can't do management accounting according to Cisco  =(
0
 
Tim HolmanCommented:
With a PIX, you can enable full authentication and command authorization, using TACACS+, as follows:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/sysmgmt.htm#wp1031817

This lets you assign 16 different privilieges of command use for the PIX, using an external TACACS+ server.  Every time one of these priviliges is checked, the command goes up to the TACACS+ server for authorization, then the TACACS+ server says yes/no, this user can or cannot use this command.  The TACACS+ server then logs this, so you have a full aaa report !

Using a standalone PIX, the best you can get is use of SYSLOG (shows you what user did what and when):

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800949d6.shtml#accounting

So sorry to say, but Cisco TAC are misinformed, and I hope you're not paying them for this level of support !! ;)
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now