PIX 6.3, aaa accounting

Similar Questions

• AAA accounting report is not with issued orders.

  Hello everyone, I have a problem with the AAA accounting on my ACS 4.0 device. When I view the posting journal lists the connections, protocols and addresses IP but not the commands executed on the specific switch. When I debug AAA accounting I see ouput but when I debug Ganymede accounting I see nothing. An exammple of my config is:

  AAA new-model

  AAA group Ganymede Server + ACS

  Server [ip address here]

  Server [ip address here]

  AAA accounting exec by default start-stop group ACS

  AAA accounting command 0 arrhythmic group ACS

  orders accounting AAA 15 start-stop ACS group

  RADIUS-server key [here].

  I left on the framework for the authentication of the configuration (in the example above) that it works very well.

  Someone at - it ideas why the actual orders are not be captured on GBA?

  Thanks in advance.

  GBA, accounting of the order must be recorded in the Administration of GANYMEDE + do not connect not the journal GANYMEDE + accounting! Don't ask me why, what just. At least it is on my own and took me a while to discover as well.

  Hope this helps

  Concerning

  Mike

• AAA accounting on routers

  Hey guys,.

  I'm looking for help to set up my router to where it makes account of my CSACS all commands run by users. For example, I login as the user bbaggins and I change a configuration of ACL, is there a way for the orders that I typed in being connected by the ACS?

  Thanks for your help.

  You must configure this Ganymede. Here are the commands.

  AAA accounting exec default start-stop Ganymede group.

  orders accounting AAA 1 by default start-stop Ganymede group.

  orders accounting AAA 15 by default start-stop Ganymede group.

  Command accounting logs are stored in the newspapers of the administration of Ganymede. There is also a known issue on ver 4.1.1 and we must apply the ACS 4.1.1.23.5 patch to fix the problem.

  Patch for the unit is available on

  http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-Soleng-3DES

  The patch name: ACS SE 4.1.1.23.5 rollup

  Acs hotfix for windows is available on

  http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-win-3DES

  The patch name: ACS 4.1.1.23.5 rollup

  Kind regards

  ~ JG

  Note the useful messages

• PIX, PDM and AAA issues

  I have a PIX 520 in the laboratory running 6.3.3 and PDM 3.0. I tested AAA authentication and authorization to our ACS server and run into problems.

  I have two groups put in place on our ACS server. A group can be accessed freely, the other group is set to the top with a Shell command authorization set that limit orders so that they can watch the running-config and a few other things. Users of both groups can connect to the PDM or SSH/telnet/series in the unit and are authenticated and authorized correctly.

  The configuration below works fine, until I pull the ACS server off the network. Because it is not any backup authentication or authorization to order method I am dead in the water. When this happens, I can always connect via the serial console, by using the 'pix' username and password enable, I just cannot run the command 'Enable' mode privlieged or any other control besides. (I get an error "Permission has no orders").

  Here's a current configuration:

  GANYMEDE + Protocol Ganymede + AAA-server

  AAA-server GANYMEDE + (inside) host 1.2.3.4 123456 timeout 5

  Console telnet authentication GANYMEDE AAA +.

  the AAA console ssh GANYMEDE authentication +.

  AAA authentication GANYMEDE serial console +.

  AAA authentication enable console GANYMEDE +.

  Console AAA authentication http GANYMEDE +.

  order of AAA for authorization GANYMEDE +.

  Is it possible to set up a backup method for approval of authentication and control? If not, is there any other way the problem I'm running into?

  Let me know if you need more info. Thank you!

  Hello

  Sorry, I missed this earlier. There is a failure on the PIX for this and we have an open enhancement request to add several methods of authorization to the PIX - CSCea04538. At this point, your best bet is to bug of your account team to get this feature added to the code of PIX to come. Sorry for the inconveinence.

  Scott

• AAA accounting records to the RADIUS server

  Im trying to activate recods orders accounting to be send to my server ACS on all my devices, I activated this orders accounting for each level of privilege to follow who types what on my devices, now the problem is that the files are not displayed on my ACS accouting reports, I get everything except the records for the typed commands , any suggestions on what order the put value on my devices to enable this feature... ?

  http://Forum.Cisco.com/eForum/servlet/NetProf?page=NetProf&Forum=security&topic=AAA&TopicId=.ee6e1fe&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cbfe9b8

  The head about it. It points you to a patch for a 4.1 Setup that I assume that you are using.

  See you soon

• AAA accounting Config help

  I have Cisco ACS 3.2 on widnows with cisco (IOS 12.3) devices configured with authentication. I need enable accounting. I just need the list of commands (changes) on the cisco device. What is the command to correct authentication? This is the current configuration.

  AAA server Ganymede group + tacgrp

  Server X.X.X.X

  Server Y.Y.Y.Y

  !

  AAA authentication login default group Ganymede + local

  AAA authentication login relief group Ganymede + activate

  AAA - the id of the joint session

  GANYMEDE-server host X.X.X.X

  GANYMEDE-server host Y.Y.Y.Y

  RADIUS-server application made

  RADIUS-server key 7 XXXXXXXXXXXXXXXXXXX

  Line con 0

  line vty 0 4

  There is no accounting for SNMP.

  The snmp on the router show command can tell you how many polls where done.

  Example to see the output of snmp:

  RAME: SCA043004DW

  Contact: smotwani

  Location: noida

  SNMP 56224160 to input packets

  0 bad SNMP version error

  38 unknown community name

  Illegal operation in name of the provided community 0

  Coding errors 0

  Number of requested variables 268814216

  Number 112 of the variables changed

  35437579 get PDUs request

  20781918 get-next PDUs

  24 set-request PDUs

  0 input queue DROPS number package (Maximum 1000 queue size)

  56224122 release of SNMP packets

  0 too big mistakes (maximum 1500 packet size)

  15 no such errors of name

  Bad values 0 errors

  0 General errors

  56219928 response PDUs

  0 trap PDUs

  You can also define a list of access allowing for any snmp and connect the access list which will have a counter that increments.

  There is no such thing as research in the papers of the ACS to know how often snmp has been consulted and what ip address for the simple reason that the authorization does not apply to the snmp.

• AAA accounting in charge of the Windows 2008 network POLICY server log

  Hello world

  We have configured our Cisco devices to use Windows 2008 network POLICY server for RADIUS.  However, we cannot configure aaa represents priv 15 commands to use the same radius servers for recording of commands in privileged mode.  When you set up by using the following command:

  AAA commands 15 arrhythmic default accounting RADIUS_SERVERS group

  I noticed that there is only GANYMEDE + servers 'group' categories and optional.  After entering the server radius group, I realized that the command is not saved and by inspecting the logs I saw the following:

  The 'MF_RAD' server group is not a Ganymede server group. Please define "RADIUS_SERVERS" as a Ganymede server group.

  This means that the function of accounting 'orders' (and probably most others) can be activated only when you use a GANYMEDE Server +?

  Thanks in advance

  You're absolutely right. Accounting command only works with Ganymede. We cannot have the command for the radius Protocol accounting. RADIUS accounting only gives you start and stop sessions package.

  ~ BR
  Jatin kone

  * Does the rate of useful messages *.

• Backup AAA for PIX

  I have a PIX with the following configuration:

  GANYMEDE + Protocol Ganymede + AAA-server

  AAA-server GANYMEDE + (inside) host 192.168.1.1 77777 timeout 5

  RADIUS Protocol RADIUS AAA server

  AAA-RADIUS (inside) host 192.168.1.1 Server 77777 timeout 10

  AAA-server local LOCAL Protocol

  AAA authentication GANYMEDE serial console +.

  AAA authentication enable console GANYMEDE +.

  order of AAA for authorization GANYMEDE +.

  AAA accounting correspond to aaa_acl inside RADIUS

  Everything works fine when the RADIUS server is available. When he is not available, I can log in with the username "PIX" and "password". The problem is, once I connected, I can't get permission to execute orders. Does anyone know of a command that is similar to the "if-certified" for routers that I can use?

  There is no method of backup for authorization for the PIX. As you know, if the RADIUS server is down, you can connect with "pix" and the password enable, but it doesn't help a permission. The only thing you can do is wait the GANYMEDE server back to the top. I'm sorry.

• Accounting on my PIX command failed

  Hello

  I'm setting up my PIX ver 7.2 (2) for accounting command using the command 'aaa accounting command', but I am not able to see any accounting information on my ACS 4.1 build 23 Server!

  Although authentication for this PIX works very well and the accounting also works perfectly for other IOS devices, accounting for the PIX does not work when you browse the administration GANYMEDE page +!

  I write the show-tech for your referecne PIX!

  Appreciate your support here!

  BR,

  Haitham

  Recommend you to take a look at this CSCsg97429bug.

  ~ Rohit

• Administrator command accounting Pix 515

  Hello

  Is there a way to connect firewall admin commands issued to the firewall? As for example, send to a GANYMEDE Server +?

  Thanks for the help.

  Hello noipt,

  Accounting command can be configured ONLY in PIX v7.x. In addition, looks not - show only orders will be sent.

  By the order No.

  Accounting messages to the GANYMEDE + accounting server when you enter one command other display commands in the CLI, use the command of control accounting aaa in global configuration mode.

  AAA accounting command

  http://www.Cisco.com/univercd/CC/TD/doc/product/multisec/asa_sw/v_7_2/cmd_ref/a1_711.htm#wp1428200

  For version 6.x.

  Authentication and authorization in order for PIX 6.2

  http://www.Cisco.com/warp/public/110/pix_command.shtml#accounting

  There is no command available real accounts, but in having enabled on the PIX of syslog, you can see what steps have been made, as shown in this example:

  307002: allows connection of the 172.18.124.111 Telnet session

  111006: connection to pixtest to the console console

  611103: user disconnected: Uname: pixtest

  307002: allows connection of the 172.18.124.111 Telnet session

  111006: connection to pixtest to the console console

  502103: user priv level changed: Uname: pixtest of: 1:15

  111008: user 'pixtest' command 'enable '.

  111007: configuration Begin: 172.18.124.111 reading of the terminal

  111008: user 'pixtest' run the command "configure t."

  111008: user 'pixtest' run the command "write t.

  I hope this helps! If Yes, please rate.

  Thank you

• Accounting customer VPN on PIX 515 worm problem. 6.3

  Hello everyone! Is it possible to configure PIX 515 worm. 6.3 to send logs to the RADIUS to break when a VPN Client user loggs in and outside loggs? I can't find any aaa accounting command which allows this.

  Hello

  Accounting of VPN was added in PIX 7.x. It is not available with 6.x

  Kind regards

  Vivek

• Select orders accounting aaa for all levels of privilege?

  Here is the syntax of the command:

  AAA accounting {auth-proxy | system | network | exec | login | orders level} {default | name-list} {arrhythmic | stop only | none} group [broadcast] name of

  The accounting type 'command' must include the privilege level of the orders that you log on. How can I connect all orders?

  Consider the following example:

   aaa accounting commands 15 default start-stop group mygroup

  If I run this command will mean that command that the user runs which have a level of less than 15 privilege are not registered? Or only commands that require exactly the privilege level 15 will be connected?

  How can I connect all orders regardless of the privilege level?

  Hey red,

  If you customize the command privilege level by using the command of privilege, you can limit who commands the unit accounts for by specifying a minimum privilege level. The security apparatus does not account for orders that are below the minimum privilege level.

  The default privilege level is 0. So if you do not specify a level of privilege then all should be counted.

  You can find the details of the order to. It's good for the SAA.

  http://www.Cisco.com/c/en/us/TD/docs/security/ASA/asa80/command/referenc...

  Kind regards

  Kanwal

  Note: Please check if they are useful.

• Accounting and authorization of the AAA

  Hello everyone.
  I give myself a proposed implementation of AAA on routers and switches in our environment. Can someone please help me understand the difference between.
  command option 1) aaa authorization exec and the authorization of the aaa.
  aaa accounting exec command option 2) and the aaa accounting.
  Thank you very much.

  Sent by Cisco Support technique Android app

  Hello

  command option 1) aaa authorization exec and the authorization of the aaa.
  One allows if the user has the privilege level right to enter unrestricted IOS (0,1,15) levels, you can customize it.

  The other allows different commands, a user can type and send to the device

  aaa accounting exec command option 2) and the aaa accounting.

  One represents once again when a user changes from a specific user-level (level preferred 15 or user-level Exec 1)

  Secondly it sends a message of each shipment of order based costing to box

  Check out my blog at http:laguiadelnetworking.com for more information.

  See you soon,.

  Julio Segura Carvajal

• The AAA authentication & accounting using the command of Ganymede-orders

  In the page of the cisco Remote Access Companion guide 394 book we got these configuration lines:

  RTA (config) #tacacs - server host 192.168.0.11

  RTA (config) #tacacs - host 192.168.0.12 server

  RTA (config) #tacacs - server key topsecret

  RTA (config) #aaa new-model

  Ganymede + RTA (config) #aaa authentication login default group

  If I want to add to the configuration above, the following command:

  RTA (config) #aaa accounting connection defult stop / start Ganymede +.

  Is it necessary that the above lines be in a specific order when I configure the RTA?

  No, the order in which you enter commands doesn't matter.

• VPN to Pix problem

  It seems that I have problems similar to many others in the connection of remote clients to a PIX 515E.

  Currently, I have tried both the client VPN Cisco 3.6 and 4.03 without success. Users are authenticated very well and the customer, you can see that their assigned an address etc but they are unable to access the internal network. The crypto ipsec his watch HS no encrypted traffic has affected the Pix as its...

  within the State of the customer etc., it shows that packets are encrypted so I'm at a bit of a loss.

  I have also a problem with pptp connections - this seems to differ between the BONES on the client but Win2K machines can connect and get checked etc but again failed to connect within the networks. These could be linked?

  My current config is: (change of address, etc.)

  SH run

  : Saved

  :

  PIX Version 6.2 (1)

  ethernet0 nameif outside security0

  nameif ethernet1 inside the security100

  nameif ethernet2 security10 intf2

  enable password xxxx

  passwd xxxx

  hostname fw

  domain name

  fixup protocol ftp 21

  fixup protocol http 80

  fixup protocol h323 h225 1720

  fixup protocol h323 ras 1718-1719

  fixup protocol they 389

  fixup protocol rsh 514

  fixup protocol rtsp 554

  fixup protocol smtp 25

  fixup protocol sqlnet 1521

  fixup protocol 2000 skinny

  No fixup protocol sip 5060

  names of

  name Inside_All 10.0.0.0

  name 10.30.1.0 Ireland1_LAN

  name 159.135.101.34 Ireland1_VPN

  name 213.95.227.137 IrelandSt1_VPN

  name 10.30.2.0 Cardiff_LAN

  name 82.69.56.30 Cardiff_VPN

  access-list 101 permit ip Inside_All 255.0.0.0 10.1.1.88 255.255.255.248

  access-list 101 permit ip Ireland1_LAN 255.255.255.0 255.0.0.0 Inside_All

  access-list 101 permit ip Cardiff_LAN 255.255.255.0 255.0.0.0 Inside_All

  access-list 101 permit ip Inside_All 255.0.0.0 10.30.3.0 255.255.255.0

  access-list 101 permit ip Inside_All 255.0.0.0 192.168.253.0 255.255.255.0

  outside_interface list access permit icmp any any echo

  outside_interface list access permit icmp any any echo response

  outside_interface list of access permit icmp any any traceroute

  outside_interface list access permit tcp any host 212.36.237.99 eq smtp

  outside_interface ip access list allow any host 212.36.237.100

  access-list permits outside_interface tcp host 212.241.168.236 host 212.36.237.101 eq telnet

  outside_interface list of access permitted tcp 192.188.69.0 255.255.255.0 host 212.36.237.101 eq telnet

  outside_interface list access permit tcp any any eq telnet

  allow the ip host 82.69.108.125 access list outside_interface a

  access-list 102 permit ip 10.1.1.0 255.255.255.0 Ireland1_LAN 255.255.255.0

  access-list 103 allow ip 10.1.1.0 255.255.255.0 Cardiff_LAN 255.255.255.0

  access-list 104. allow ip 10.1.1.0 255.255.255.0 10.30.3.0 255.255.255.0

  pager lines 24

  opening of session

  recording of debug console

  monitor debug logging

  interface ethernet0 10baset

  interface ethernet1 10baset

  Automatic stop of interface ethernet2

  Outside 1500 MTU

  Within 1500 MTU

  intf2 MTU 1500

  IP outdoor 212.36.237.98 255.255.255.240

  IP address inside 10.1.1.250 255.255.255.0

  intf2 IP address 127.0.0.1 255.255.255.255

  alarm action IP verification of information

  alarm action attack IP audit

  IP local pool ippool 10.1.1.88 - 10.1.1.95

  IP local pool mspool 10.7.1.1 - 10.7.1.50

  IP local pool mspools 192.168.253.1 - 192.168.253.50

  location of PDM Inside_All 255.255.255.0 inside

  location of PDM 82.69.108.125 255.255.255.255 outside

  location of PDM 10.55.1.0 255.255.255.0 inside

  PDM logging 100 information

  history of PDM activate

  ARP timeout 14400

  Global 1 interface (outside)

  (Inside) NAT 0-list of access 101

  NAT (inside) 1 0.0.0.0 0.0.0.0 0 0

  public static 212.36.237.100 (Interior, exterior) 10.1.1.50 netmask 255.255.255.255 0 0

  public static 212.36.237.101 (Interior, exterior) 10.1.1.254 netmask 255.255.255.255 0 0

  public static 212.36.237.99 (Interior, exterior) 10.1.1.208 netmask 255.255.255.255 0 0

  Access-group outside_interface in interface outside

  Route outside 0.0.0.0 0.0.0.0 212.36.237.97 1

  Route inside Inside_All 255.255.255.0 10.1.1.254 1

  Route inside 10.2.1.0 255.255.255.0 10.1.1.254 1

  Route inside 10.3.1.0 255.255.255.0 10.1.1.254 1

  Route inside 10.4.1.0 255.255.255.0 10.1.1.254 1

  Route inside 10.5.1.0 255.255.255.0 10.1.1.254 1

  Route inside 10.6.1.0 255.255.255.0 10.1.1.254 1

  Route inside 10.7.1.0 255.255.255.0 10.1.1.254 1

  Route inside 10.8.1.0 255.255.255.0 10.1.1.254 1

  Route inside 10.9.1.0 255.255.255.0 10.1.1.254 1

  Route inside 10.10.1.0 255.255.255.0 10.1.1.254 1

  Route inside 10.11.1.0 255.255.255.0 10.1.1.253 1

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0: 10:00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 sip 0:30:00 sip_media 0:02:00

  Timeout uauth 0:00:00 uauth absolute 0:30:00 inactivity

  GANYMEDE + Protocol Ganymede + AAA-server

  RADIUS Protocol RADIUS AAA server

  AAA-server local LOCAL Protocol

  AAA-server AuthInOut Protocol Ganymede +.

  AAA-server AuthInOut (inside) host 10.1.1.203 Kinder timeout 10

  the AAA authentication include http outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AuthInOut

  the AAA authentication include http inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AuthInOut

  AAA accounting include http outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AuthInOut

  AAA accounting include http inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 AuthInOut

  Enable http server

  http 82.69.108.125 255.255.255.255 outside

  http 10.1.1.0 255.255.255.0 inside

  No snmp server location

  No snmp Server contact

  Server SNMP community xxx

  No trap to activate snmp Server

  enable floodguard

  Permitted connection ipsec sysopt

  Sysopt connection permit-pptp

  Sysopt route dnat

  Crypto ipsec transform-set esp - esp-md5-hmac VPNAccess

  Crypto ipsec transform-set esp-3des esp-md5-hmac VPNAccess2

  Crypto-map dynamic dynmap 10 game of transformation-VPNAccess2

  card crypto home 9 ipsec-isakmp dynamic dynmap

  card crypto ipsec-isakmp 10 home

  address of 10 home game card crypto 102

  set of 10 House card crypto peer IrelandSt1_VPN

  House 10 game of transformation-VPNAccess crypto card

  card crypto ipsec-isakmp 15 home

  address of home 15 game card crypto 103

  set of 15 home map crypto peer Cardiff_VPN

  House 15 game of transformation-VPNAccess crypto card

  card crypto ipsec-isakmp 30 home

  address of 30 home game card crypto 104

  crypto home 30 card set peer 212.242.143.147

  House 30 game of transformation-VPNAccess crypto card

  interface card crypto home outdoors

  ISAKMP allows outside

  ISAKMP key * address IrelandSt1_VPN netmask 255.255.255.255

  ISAKMP key * address Cardiff_VPN netmask 255.255.255.255

  ISAKMP key * address 212.242.143.147 netmask 255.255.255.255

  ISAKMP identity address

  part of pre authentication ISAKMP policy 5

  ISAKMP strategy 5 3des encryption

  ISAKMP strategy 5 md5 hash

  5 2 ISAKMP policy group

  ISAKMP life duration strategy 5 86400

  part of pre authentication ISAKMP policy 7

  ISAKMP strategy 7 3des encryption

  ISAKMP strategy 7 sha hash

  7 2 ISAKMP policy group

  ISAKMP strategy 7 life 28800

  part of pre authentication ISAKMP policy 10

  encryption of ISAKMP policy 10

  ISAKMP policy 10 md5 hash

  10 1 ISAKMP policy group

  ISAKMP policy 10 life 85000

  part of pre authentication ISAKMP policy 20

  encryption of ISAKMP policy 20

  ISAKMP policy 20 md5 hash

  20 2 ISAKMP policy group

  ISAKMP duration strategy of life 20 85000

  vpngroup client address mspools pool

  vpngroup dns-server 194.153.0.18 client

  vpngroup wins client-server 10.155.1.16

  vpngroup idle time 1800 customer

  vpngroup customer password *.

  Telnet 82.69.108.125 255.255.255.255 outside

  Telnet 10.55.1.0 255.255.255.0 inside

  Telnet 10.1.1.0 255.255.255.0 inside

  Telnet timeout 15

  SSH 82.69.108.125 255.255.255.255 outside

  SSH timeout 15

  VPDN Group 6 accept dialin pptp

  PAP VPDN Group 6 ppp authentication

  VPDN Group 6 chap for ppp authentication

  VPDN Group 6 ppp mschap authentication

  VPDN Group 6 ppp encryption mppe auto

  VPDN Group 6 client configuration address local mspools

  VPDN Group 6 pptp echo 60

  local 6 VPDN Group client authentication

  VPDN username xxxx password *.

  VPDN username password xxx *.

  VPDN username password xxx *.

  VPDN username password xxx *.

  VPDN username xxxx password *.

  VPDN allow outside

  username xxx pass xxx

  Terminal width 80

  Cryptochecksum:8f8ceca91c6652e3cc8086edc8ed62fa

  : end

  If you do not see decrypts side Pix while my thoughts are (for IPSEC) ESP and GRE (for PPTP) do not get to your Pix (blocks perhaps of ISP or other devices).

  If you do a "capture" of the packets on the external interface you see all traffic ESP or GRE? Where the customer? If this isn't the case, dialup is ESP or permitted GRE?