Aaa accounting commands levels

Similar Messages

• Enable aaa accounting commands for all privilege levels?

  Here is the command's syntax:
  aaa accounting {auth-proxy | system | network | exec | connection | commands level} {default | list-name} {start-stop | stop-only | none} [broadcast] group groupname
  The "command" accounting type must include the privilege level of the commands you are logging. How do I log ALL commands?
  Take the following example:
  aaa accounting commands 15 default start-stop group mygroup
  If I issue this command will that mean commands the user executes that have a privilege level lower than 15 will not be logged? Or only commands that require exactly privilege level 15 will be logged?
  How can I log all commands regardless of privilege level?

  Hi Red,
  If you customize the command privilege level using the privilege command, you can limit which commands the appliance accounts for by specifying a minimum privilege level. The security appliance does not account for commands that are below the minimum privilege level.
  The default privilege level is 0. So if you don't specify any privilege level then all should be accounted for.
  You can find the command detail at. This is for ASA though.
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/command/reference/cmd_ref/a1.html#wp1535253
  Regards,
  Kanwal
  Note: Please mark answers if they are helpful.

• Question about usage of aaa accounting commands

  Hi everyone,
  I have the problem that Cisco routers and switches do not send some accounting command
  information to ACS.
  Accounting commands do not send to ACS are "show log" and "show version".
  Accounting commands send to ACS are "show runn", "conf t" and "debug"
  The configuration of routers and switches is the following
  aaa new-model
  aaa authentication login default group tacacs+ line
  aaa authorization commands 15 default group tacacs+ none
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  tacacs-server host xxx.xxx.xxx.xxx key yyyy
  I think the commands do not send to ACS are privilege level 1 command and the commands
  send to ACS are privilege level 15 command.
  So I need to additional aaa accounting command below to get routers and switches send level 1
  command to ACS, because the "15" of "aaa accounting commands 15" does not include level 1
  so need to configure "aaa accounting commands 1" for level 1 commands.
  aaa accounting commands 1 default start-stop group tacacs+
  Is my understanding correct ?
  Your information would be greatly appreciated.
  Best regards,

  Hi,
  plese do this and the router will send
  everything to the ACS server, except
  whatever you are doing to the router in http:
  aaa new-model
  aaa authentication login notac none
  aaa authentication login VTY group tacacs+ local
  aaa authentication enable default group tacacs+ enable
  aaa authorization console
  aaa authorization config-commands
  aaa authorization exec notac none
  aaa authorization exec VTY group tacacs+ if-authenticated none
  aaa authorization commands 0 VTY group tacacs+ if-authenticated none
  aaa authorization commands 1 VTY group tacacs+ if-authenticated none
  aaa authorization commands 15 VTY group tacacs+ if-authenticated none
  aaa authorization network VTY group tacacs+ if-authenticated none
  aaa accounting exec VTY start-stop group tacacs+
  aaa accounting commands 0 VTY start-stop group tacacs+
  aaa accounting commands 1 VTY start-stop group tacacs+
  aaa accounting commands 15 VTY start-stop group tacacs+
  aaa accounting network VTY start-stop group tacacs+
  aaa accounting connection VTY start-stop group tacacs+
  aaa session-id common
  ip http authentication aaa login-authentication VTY
  ip http authentication aaa exec-authorization VTY
  tacacs-server host 192.168.15.10 key 7 1446405858517C
  tacacs-server directed-request
  line con 0
  exec-timeout 0 0
  authorization exec notac
  accounting commands 0 VTY
  accounting commands 1 VTY
  accounting commands 15 VTY
  accounting exec VTY
  logging synchronous
  login authentication notac
  line aux 0
  session-timeout 35791
  exec-timeout 35791 23
  authorization exec notac
  accounting commands 0 VTY
  accounting commands 1 VTY
  accounting commands 15 VTY
  accounting exec VTY
  login authentication notac
  transport input all
  line vty 0
  exec-timeout 0 0
  authorization commands 0 VTY
  authorization commands 1 VTY
  authorization commands 15 VTY
  authorization exec VTY
  accounting commands 0 VTY
  accounting commands 1 VTY
  accounting commands 15 VTY
  accounting exec VTY
  login authentication VTY
  David
  CCIE Security

• Missing aaa accounting commands

  Hi,
  I might be being REALLY STUPID, but I am trying to config a 12.3 IOS router to send command accounting records to an ACS 3.3 server via RADIUS.
  When a input the 'aaa accounting commands 15 default group radius' command, it is accepted by the router, but show the config, and its not there. This is the same for all command levels. This router is logging VoIP accounting records too, to the same RADIUS box, without problems.
  Have I missed somthing about setting up AAA ?
  Grateful for any help!
  Thanks
  Pete Moore

  Even if IOS did support it, the format of any RADIUS cmd accounting will be inferior for a couple of reasons
  1) The ACS TACACS+ reports are totally geared up for this with pre-defined columns for each T+ attrbute.
  2) ACS has a dedicated cmd accounting report which splits out cmds from sessions
  3) To package in RADIUS, IOS would have to create many cisco-av-pair VSA instances. In the RADIUS accounting logs these will all be compressed into a single column of the format
  "attr1=value1;attr2=value2;..."
  Depending on what you want to do with the data this format is quite restrictive.
  My advice is to enable TACACS+
  Darran

• AAA Accounting Commands

  I have just started logging AAA accounting commands on my ACS. I am able to view all commands entered without any trouble. I would like to NOT see commands entered from one particular source. I have an IDS device that shuns to a router. The shunning frequency causes the ACS TACACS+ admin report to become full and unusable. Any ideas on how to exempt commands issued by the IDS?
  I have considered setting up multiple vty line configurations. Set up a vty 0 0 and vty 1 4. Configure the vty 0 0 to use something other than the 'default' AAA group. This, of course, assumes that the IDS will always use vty 0 and everyone else will use vty 1 - 4.
  Thanks, Rick

  Give extraxi aaa-reports! a try (free trial version available)
  We offer loads of great canned reports for device admin.. and more importantly you can filter out stuff you dont want during import.
  Once the CSVs are imported we also have a visual query builder for drilling down into your data - with the results exportable to word/excel/html etc.
  Our csvsync utility can also harvest CSV logs from any number of ACS servers of any version and type (sw & appliance)
  We are a Cisco Technology Partner and aaa-reports! is tested "Cisco Compatible"
  Darran

• Question on AAA accounting command?

  Is AAA command “aaa accounting commands 15 default start-stop group” just for tacacs+ groups and not for radius?

  jjohnston1127 answered correctly. Command authorization and command accounting are only supported by the tacacs protocol.
  You will not even see an option for radius.
  jkatyel(config)#aaa accounting commands 15 default start-stop gr
  jkatyel(config)#aaa accounting commands 15 default start-stop group ?
    WORD     Server-group name
    tacacs+  Use list of all Tacacs+ hosts.
  Accounting supported by radius
  https://tools.ietf.org/html/rfc2866
  Regards,
  Jatin Katyal
  *Do rate helpful posts*

• Does "aaa accounting commands" not support radius?

  When I issue this command:
  aaa accounting commands 15 default start-stop group myradiusgroup
  I get this error: %AAAA-4-SERVNOTACPLUS: The server-group "myradiusgroup" is not a tacacs+ server group. Please define "myradiusgroup" as a tacacs+ server group.
  No where in the documentation could I find anything saying the "commmands" accounting type is only available to tacacs+. Does aaa not support this accounting type for radius?

  Hi Red,
  The Cisco implementation of RADIUS does not support command accounting. So that's the reason you are getting that error. Please use TACACS if you want to use this.
  Regards,
  Kanwal
  Note: Please mark answers if they are helpful.

• Aaa accounting for config-mode commands

  How to account commands entered in config-mode via TACACS+ ?
  aaa accounting commands 15 default start-stop group tacacs+
  does accounting for all commands in privilege level 15.
  Best Regards
  Carsten

  Carsten
  I am not clear what your question is. From the title I gather that you are looking for a way to have accounting records for commands entered in config mode. The answer to the question is to enable accounting for level 15 commands which include the config commands. All of which is included in your message. So what is the question?
  If the question is how to get just the config commands without all the other level 15 commands I am not aware of any way to get just the config commands.
  HTH
  Rick

• AAA Radius accounting command is not taking in 3750 switch

         Hi Cisco Support community,
  I am facing a issue with radius accounting in Cisco 3750 switch with version 12.2. I am unable to start accounting for radius server.
  This is the config that is on the switch for Radius.
  aaa authentication login default group radius local
  aaa authentication dot1x default group radius
  aaa authorization exec my-authradius group radius if-authenticated.
  radius-server attribute 6 on-for-login-auth
  radius-server dead-criteria time 20 tries 5
  radius-server host 10.100.1.225 auth-port 1645 acct-port 1646 key 7 14341A5801103F3904266021
  radius-server host 10.100.1.226 auth-port 1645 acct-port 1646 key 7 05280E5C2C585B1B390B4406
  When i try to add the following command for accounting, this is not saving.
  (aaa accounting commands 0 default start-stop group radius
  aaa accounting commands 1 default start-stop group radius
  aaa accounting commands 15 default start-stop group radius)
  If i do paste this command one by one after start-stop group it is showing only two options either tacacs+ or server, no radius option is there as well.
  I  tried to create a server group and add the radius server  in the group.  Even then when i am trying to implement the aaa accounting command with the server command it is not showing in show run.
  Can anyone please help me with this issue.

  Hi,
  thanks for your reply but the thing is that  i want to see the command that are being run by a user on  this particular device. If i use the network command it will only show me the  network-related service requests, including Serial Line Internet Protocol (SLIP), PPP, PPP Network Control Protocols (NCPs), and AppleTalk Remote Access Protocol (ARAP).
  I have read the document from this link and it is stating that we can use command accounting. Below is the link
  http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a1.html. 
  Can anyone please tell me if this a version issue because even in version 15.4 i was not seeing the radius option in the end
  aaa accounting commands 15 default start-stop group (radius)- in radius place it was showing only Tacacs+ or group.

• What is the main funtion of Accounting commands

  Hi,
  Can any one tell me that,
  what is the main funtion of below commands in TACACS
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  aaa accounting system default start-stop group tacacs+

  aaa accounting exec default start-stop group tacacs+
  !--- Log the start and stop of EXEC session to the device. When the user logged in and when the user logged out. Total time spent.
  aaa accounting commands 1 default start-stop group tacacs+
  !--- Account/Log all the commands executed by the user, that are at privilege level 1.
  aaa accounting commands 15 default start-stop group tacacs+
  !--- Account/Log all the commands executed by the user, that are at privilege level 15.
  aaa accounting system default start-stop group tacacs+
  !--- Send the log to the Tacacs server about the system events (reboot etc..)
  More details,
  http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a1.html#wp1038916
  Regards,
  Prem
  Please rate if it helps!

• Accounting Command for Configuration Changes

  Hi All,
  i want the logs of command 0r configuration changes made in ROuters or Switches to ACS 4.1,
  like the following
  Wed Jun 27 03:46:47 2001 172.16.25.15 fgeorge tty3 5622329430/4327528 stop
  task_id=3 service=shell priv-lvl=1 cmd=show version <cr>
  the above is found in the Command Accounting of the Link
  http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfacct.html#wp1000976

  Anand
  The information that you need about how to configure this is not so good in the link that you posted. But it is not difficult to configure. I use the following line in configuration of routers and get the accounting records in ACS for all privilege level commands including any configuration commands.
  aaa accounting commands 15 default start-stop group tacacs+
  You might want to change some details (like tacacs+) depending on how your routers are configured to talk to ACS.
  HTH
  Rick

• AAA accounting strange issue

  hi guys , i m facing this strange problem kindly check the config below
  aaa new-model
  aaa authentication login default group tacacs+ local
  aaa authentication enable default group tacacs+ enable
  aaa accounting update periodic 1
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  aaa session-id common
  tacacs-server host x.x.x.x key abcdse
  ip tacacs source-interface fas 0/0
  now everything was working fine but a strange issue has been arrised, when i check the tacacs administration report it just shows me log upto 4 rows and no more !!! like see if i have done this configuration on router
  config t
  int lo 0
  ip add 20.0.0.1 255.0.0.0
  int lo 1
  ip add 30.0.0.1 255.0.0.0
  now when i check the accouting report ( administration report ) it just shows me the first 4 commands
  config t
  int lo 0
  ip add 20.0.0.1 255.0.0.0
  int lo 1
  thats it !!! why is this so ?? any 1 has any idea why is this happening
  thanks

  I would use the following:
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 0 default start-stop group tacacs+
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  aaa accounting network default start-stop group tacacs+
  aaa accounting connection default start-stop group tacacs+
  aaa accounting system default start-stop group tacacs+
  aaa accounting resource default start-stop group tacacs+
  aaa accounting resource default start-stop group tacacs+
  CCIE Security

• AAA accouting (commands information)

  hi,
  Currently i am using aaa accouting for 3560 switches with ACS4.1 solution engine. I want to log the IOS commands entered. I have chosen the "cmd" and "cmd-arg" field in the CSV and syslog (tacacs+ accounting), these field are empty (..) when the csv record is seen on the ACS server and syslog server. Can some body tell how i can log the commands entered after the authentication with ACS is successful.
  Regards
  Naresh

  Naresh,
  Command accounting only works with tacacs and not with radius. Make sure we are using tacacs.
  Here are the command you need on IOS
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 1 aaa-list start-stop group tacacs+
  aaa accounting commands 15 aaa-list start-stop group tacacs+
  These logs are stored in tacacs administration report, so make sure you are checking the correct head.
  Still it is not working then check acs code. Incase it is 4.1.1 then you need to apply patch 5 to fix it.
  To download patch for appliance,
  http://www.cisco.com/cgi-bin/tablebuild.pl/acs-soleng-3des
  For windows
  http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-3des
  Regards,
  ~JG
  Do rate helpful posts

• Aaa authorization commands for pix 535

  Hi ,
  Can you provide aaa authorization commands for pix 535
  Sanjay Nalawade.

  Hi,
  Please find the AAA config for PIX.
  aaa-server TACACS+ protocol tacacs+
  max-failed-attempts 5
  aaa-server TACACS+ (ExranetFW-In) host
  timeout 5
  key ********
  aaa authentication enable console TACACS+ LOCAL
  aaa authentication serial console TACACS+ LOCAL
  aaa authentication http console TACACS+ LOCAL
  aaa authentication ssh console TACACS+ LOCAL
  aaa authorization command LOCAL
  aaa accounting command privilege 15 TACACS+
  aaa authorization exec authentication-server
  Karuppuchamy

• AAA authorization commands

  Hi All
  Probably i am going to ask a stupid question but i am really confused regarding the purpose of "aaa authorization commands x default local" command. I understand that if this command is configured, it authorizes each and every command of that level but in my experience, this command is not doing anything. The outcome is same whether it is configured or not.
  Following is my aaa part config
  username cisco privilege 15 secret cisco 
  aaa new-model
  aaa authentication login default local enable
  aaa authorization exec default local if-authenticated
  aaa authorization commands 15 default local if-authenticated
  Now whether i keep the last command or remove it, username "cisco" is able to use every level 15 command so my question is, why i bother configuring this command?
  Would really appreciate your quick reply
  Regards

  Thanx a lot for your quick response. Really appreciate that.
  So does this mean, can i safely assume that if i am using local database then i don't require "aaa authorization command level" command??
  that is following should be the config
  username cisco privilege 15 secret cisco 
  aaa new-model
  aaa authentication login default local enable
  aaa authorization exec default local if-authenticated
  privilege exec level 15 show   (just an example)
  privilege exec level 15 debug
  I have tested this and it worked fine without using "aaa authorization command level"
  Moreover, regarding the use of AAA server, my eventual plan is to use TACACS+ but before that,  i wanted to get a good grip of AAA functionality and therefore started off with local user database.  
  So u mean to say, if i am using TACACS+ for authentication and authorization purposes and in ACS Server, user "cisco" has been assigned level 15 but with authorization set of "show" and "debug" only then by using "aaa authorization commands level" in a router, i can successfully restrict user "cisco" to "debug" and "show" only? In my point of view, i can achieve this anyway (restricting "cisco" user to only use "show and debug) without using "aaa authorization command level" (like i tested with local database)??
  will really appreciate your kind response