Aaa accounting for config-mode commands

Similar Messages

• AAA accounting for per-user data amount limit

  Hello,
  I don't have too much experience with AAA, and I want to implement the following:
  - I have a FreeRadius, ASR1001-X with IOS XE
  - I want to keep records of how many data is consumed by each user
  Any suggestion will be welcome.
  Thank you.

  Just for information i post these links
  1. http://www.linuxquestions.org/questions … er-715490/
  2. http://www.linuxquestions.org/questions … ge-617928/
  3. http://www.linuxquestions.org/questions … asis-8674/

• Command accounting for SNMP config

  We can use TACACS+ and ACS to do the command accounting for EXEC shell commands executed. But what abount configuration changed by SNMP set? How to find out which OIDs set by NMS tools?
  Thanks!

  Well radius accounting is supported on ACS so if your aaa client is accounting the commands, then they will appear on ACS without problem.

• AAA accounting of Lan-to-Lan VPN connections on a 3005 Concentrator

  Hello all,
  I am trying to do AAA accounting for the Lan-to-Lan connections on a 3005 VPN concentrator. It does not seem to work. For incoming VPN client connections, it's working ok, I see the 3005 sending accounting data to our radius server. But nothig is sent for Lan-to-Lan connections.
  Any ideas ? Is this not supported on the 3005 ?
  Thanks,
  Stefan

  Ok, I have updated the image and now I can access all the SNMP info that was not there before. As before, no AAA data is sent for Lan-to-Lan connections and you only have access to current connection info via SNMP. So no historical data. But still, I can make a script that posts on a webpage the current connections, so people with no access to the concentrator can see it.
  I see something weird tho, the snmpwalk is very slow. If I try to walk the interfaces.ifTable for example, it's very slow, one line every second. Must be something from the concentrator because the same snmpwalk on another router is very fast. Walking through the active vpn list takes longer than walking through the whole snmp tree on another router.
  I only found something about SNMP reuqests queued ... but that didn't help. Any idea how I can speed up the snmp replies ?
  Thanks,
  Stefan

• Enable aaa accounting commands for all privilege levels?

  Here is the command's syntax:
  aaa accounting {auth-proxy | system | network | exec | connection | commands level} {default | list-name} {start-stop | stop-only | none} [broadcast] group groupname
  The "command" accounting type must include the privilege level of the commands you are logging. How do I log ALL commands?
  Take the following example:
  aaa accounting commands 15 default start-stop group mygroup
  If I issue this command will that mean commands the user executes that have a privilege level lower than 15 will not be logged? Or only commands that require exactly privilege level 15 will be logged?
  How can I log all commands regardless of privilege level?

  Hi Red,
  If you customize the command privilege level using the privilege command, you can limit which commands the appliance accounts for by specifying a minimum privilege level. The security appliance does not account for commands that are below the minimum privilege level.
  The default privilege level is 0. So if you don't specify any privilege level then all should be accounted for.
  You can find the command detail at. This is for ASA though.
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/command/reference/cmd_ref/a1.html#wp1535253
  Regards,
  Kanwal
  Note: Please mark answers if they are helpful.

• Question about usage of aaa accounting commands

  Hi everyone,
  I have the problem that Cisco routers and switches do not send some accounting command
  information to ACS.
  Accounting commands do not send to ACS are "show log" and "show version".
  Accounting commands send to ACS are "show runn", "conf t" and "debug"
  The configuration of routers and switches is the following
  aaa new-model
  aaa authentication login default group tacacs+ line
  aaa authorization commands 15 default group tacacs+ none
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  tacacs-server host xxx.xxx.xxx.xxx key yyyy
  I think the commands do not send to ACS are privilege level 1 command and the commands
  send to ACS are privilege level 15 command.
  So I need to additional aaa accounting command below to get routers and switches send level 1
  command to ACS, because the "15" of "aaa accounting commands 15" does not include level 1
  so need to configure "aaa accounting commands 1" for level 1 commands.
  aaa accounting commands 1 default start-stop group tacacs+
  Is my understanding correct ?
  Your information would be greatly appreciated.
  Best regards,

  Hi,
  plese do this and the router will send
  everything to the ACS server, except
  whatever you are doing to the router in http:
  aaa new-model
  aaa authentication login notac none
  aaa authentication login VTY group tacacs+ local
  aaa authentication enable default group tacacs+ enable
  aaa authorization console
  aaa authorization config-commands
  aaa authorization exec notac none
  aaa authorization exec VTY group tacacs+ if-authenticated none
  aaa authorization commands 0 VTY group tacacs+ if-authenticated none
  aaa authorization commands 1 VTY group tacacs+ if-authenticated none
  aaa authorization commands 15 VTY group tacacs+ if-authenticated none
  aaa authorization network VTY group tacacs+ if-authenticated none
  aaa accounting exec VTY start-stop group tacacs+
  aaa accounting commands 0 VTY start-stop group tacacs+
  aaa accounting commands 1 VTY start-stop group tacacs+
  aaa accounting commands 15 VTY start-stop group tacacs+
  aaa accounting network VTY start-stop group tacacs+
  aaa accounting connection VTY start-stop group tacacs+
  aaa session-id common
  ip http authentication aaa login-authentication VTY
  ip http authentication aaa exec-authorization VTY
  tacacs-server host 192.168.15.10 key 7 1446405858517C
  tacacs-server directed-request
  line con 0
  exec-timeout 0 0
  authorization exec notac
  accounting commands 0 VTY
  accounting commands 1 VTY
  accounting commands 15 VTY
  accounting exec VTY
  logging synchronous
  login authentication notac
  line aux 0
  session-timeout 35791
  exec-timeout 35791 23
  authorization exec notac
  accounting commands 0 VTY
  accounting commands 1 VTY
  accounting commands 15 VTY
  accounting exec VTY
  login authentication notac
  transport input all
  line vty 0
  exec-timeout 0 0
  authorization commands 0 VTY
  authorization commands 1 VTY
  authorization commands 15 VTY
  authorization exec VTY
  accounting commands 0 VTY
  accounting commands 1 VTY
  accounting commands 15 VTY
  accounting exec VTY
  login authentication VTY
  David
  CCIE Security

• Missing aaa accounting commands

  Hi,
  I might be being REALLY STUPID, but I am trying to config a 12.3 IOS router to send command accounting records to an ACS 3.3 server via RADIUS.
  When a input the 'aaa accounting commands 15 default group radius' command, it is accepted by the router, but show the config, and its not there. This is the same for all command levels. This router is logging VoIP accounting records too, to the same RADIUS box, without problems.
  Have I missed somthing about setting up AAA ?
  Grateful for any help!
  Thanks
  Pete Moore

  Even if IOS did support it, the format of any RADIUS cmd accounting will be inferior for a couple of reasons
  1) The ACS TACACS+ reports are totally geared up for this with pre-defined columns for each T+ attrbute.
  2) ACS has a dedicated cmd accounting report which splits out cmds from sessions
  3) To package in RADIUS, IOS would have to create many cisco-av-pair VSA instances. In the RADIUS accounting logs these will all be compressed into a single column of the format
  "attr1=value1;attr2=value2;..."
  Depending on what you want to do with the data this format is quite restrictive.
  My advice is to enable TACACS+
  Darran

• Question on AAA accounting command?

  Is AAA command “aaa accounting commands 15 default start-stop group” just for tacacs+ groups and not for radius?

  jjohnston1127 answered correctly. Command authorization and command accounting are only supported by the tacacs protocol.
  You will not even see an option for radius.
  jkatyel(config)#aaa accounting commands 15 default start-stop gr
  jkatyel(config)#aaa accounting commands 15 default start-stop group ?
    WORD     Server-group name
    tacacs+  Use list of all Tacacs+ hosts.
  Accounting supported by radius
  https://tools.ietf.org/html/rfc2866
  Regards,
  Jatin Katyal
  *Do rate helpful posts*

• AAA Accounting Commands

  I have just started logging AAA accounting commands on my ACS. I am able to view all commands entered without any trouble. I would like to NOT see commands entered from one particular source. I have an IDS device that shuns to a router. The shunning frequency causes the ACS TACACS+ admin report to become full and unusable. Any ideas on how to exempt commands issued by the IDS?
  I have considered setting up multiple vty line configurations. Set up a vty 0 0 and vty 1 4. Configure the vty 0 0 to use something other than the 'default' AAA group. This, of course, assumes that the IDS will always use vty 0 and everyone else will use vty 1 - 4.
  Thanks, Rick

  Give extraxi aaa-reports! a try (free trial version available)
  We offer loads of great canned reports for device admin.. and more importantly you can filter out stuff you dont want during import.
  Once the CSVs are imported we also have a visual query builder for drilling down into your data - with the results exportable to word/excel/html etc.
  Our csvsync utility can also harvest CSV logs from any number of ACS servers of any version and type (sw & appliance)
  We are a Cisco Technology Partner and aaa-reports! is tested "Cisco Compatible"
  Darran

• Does "aaa accounting commands" not support radius?

  When I issue this command:
  aaa accounting commands 15 default start-stop group myradiusgroup
  I get this error: %AAAA-4-SERVNOTACPLUS: The server-group "myradiusgroup" is not a tacacs+ server group. Please define "myradiusgroup" as a tacacs+ server group.
  No where in the documentation could I find anything saying the "commmands" accounting type is only available to tacacs+. Does aaa not support this accounting type for radius?

  Hi Red,
  The Cisco implementation of RADIUS does not support command accounting. So that's the reason you are getting that error. Please use TACACS if you want to use this.
  Regards,
  Kanwal
  Note: Please mark answers if they are helpful.

• Aaa accounting commands levels

  Hello,
  I am confused on aaa accounting. If I wish to account all commands and the levels I have configured are say 5 and 15, do I need to include level 0 in my aaa accounting commands?

  Hello,
  By default on IOS devices we have three commands distributed over three privilege levels i.e.,
  Level 0
  Level 1, and
  Level 15.
  If you explicitly donot change the privilege level of command(s), then only commands that you require to enter in an IOS device to monitor all commands executed over device is:
  aaa accounting commands 0 default start-stop group tacacs+
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  I have defined TACACS+ as the as the accounting server, as it jells best for adminstrative purposes i.e. Shell Command authorization
  Let me know if this clarifies your doubt :)

• CSU Rev 2.3.6(2) - deny key commands in IOS config mode

  I want to deny certain commands to certain users in a group. I have defined the following on the ACS.
  service = shell{
  default cmd=permit
  default attribute=permit
  cmd=configure{
  deny="no ip routing"
  deny="no router isis"
  permit=""
  This logic does not work.
  1. Does CSU support command authorization within config mode?
  2. Any tips?
  Thanx,
  Kenny

  You are not alone with issues related to the e1000e (but all they concluded was that reloading the module makes it work again):
  https://bbs.archlinux.org/viewtopic.php?id=145564
  It seems like this is more your issue:
  http://permalink.gmane.org/gmane.linux. … devel/8932
  But if none of those boot flags work for you, then there's not much you can do, and you'll have to write a script to reload the module each time after initial boot finishes I guess until the module gets fixed.
  Also, power management of the PCIe interface causes the e1000e to shut off after a while as well (lots of people on CentOS noticing this):
  http://serverfault.com/questions/226319 … ie-aspm-do
  So you can use that boot parameter to stop that from happening, if that becomes an issue for you as well.

• Service accounts for the Workspace Database service permission Error while creating Tabular Mode from PowerPivot

  Hi All,
  Please help me out against this issue. I have spent so much (3 working days) time just figuring out what is the issue and its solution.
  I am learning Tabular Mode and trying to create a mode based on PowerPivot model. I am getting following error message:
  'The PowerPivot workbook could not be imported. The service account for the workspace database server does not have permission to read from the PowerPivot workbook.'
  Here is my infrastructure:
  1. SSAS in Tabular Mode is installed on my Windows 8 Laptop
  2. PowerPivot is also in my laptop
  3. There is only my account (as Admin of course) for SSAS
  Here are my questions:
  1. What is this error and how can I cope with that? A step by step explanation would be highly appreciated :-)
  2. Do I need to change something in Windows settings or in SSAS?
  3. I am confused about my workspace database server as well, Do I have to install SSAS twice; one for development and one for workspace?
   Looking forward for the expert advise.
  Tahir
  Thanks, TA

  Hi,
  I suspect you might have more luck if you try the SSAS forum: http://social.msdn.microsoft.com/Forums/sqlserver/en-US/home?forum=sqlanalysisservices
  Regards
  Jamie
  ObjectStorageHelper<T> – A WinRT utility for Windows 8 |
  http://sqlblog.com/blogs/jamie_thomson/ |
  @jamiet |
  About me

• How can I set default values for Allocate Mode in AO config?

  Hi, How can I set default values for allocate mode in AO config. To be specific, in the attached vi, I need to set the Allocate Mode in AO Config to 'Use FIFO Memory (6)' if the value inside my case structure is false and to 'no change (0)' if the value inside the case strusture is true.
  Solved!
  Go to Solution.
  Attachments:
  generateWaveformFIFO.vi ‏15 KB

  Create two constants for the Allocate Mode input (right click > create > constant). Place one in the true case of the case structure, and place the other one in the false case. Wire them to the same tunnel (border of the case structure), then wire the tunnel to the Allocate Mode terminal of the AO Config. I don't have Traditional DAQ installed, but that should do it.
  Misha

• Command for:  Access Mode for Result Set

  Hi
  Does anyone know if there is a command for "Access Mode for Result Set". 
  The default view for my characteristic in my query is "Characteristic Relationships".
  I would like to have a command button for the user to be able to change the access mode to "Posted Values"
  I have searched through all the commands but was unable to find this command.
  OR if it is not available does anyone know the XHTML that I could enter into the web template.
  Thanks in advance.
  Ian

  Hi
  Does anyone know if there is a command for "Access Mode for Result Set". 
  The default view for my characteristic in my query is "Characteristic Relationships".
  I would like to have a command button for the user to be able to change the access mode to "Posted Values"
  I have searched through all the commands but was unable to find this command.
  OR if it is not available does anyone know the XHTML that I could enter into the web template.
  Thanks in advance.
  Ian