AAA Accounting problems
I have questions regarding the aaa accounting of NX-OS. In N7K and N5K is not done the accounting of show commands, only the config command's. Unlike the IOS. Is there any way to enable accounting of show commands as well?
Another question is related to the Nexus 1000V, which only supports PAP or MSCHAP. Does not support the command "aaa authentication login ascii-authentication". Is there way to enable? Or is it some restriction.
Larry,
1) Please set up enable authentication to get the actual user name,
aaa authentication enable console tacacs-auth LOCAL
On ACS user setup you need to set up tacacs+ enable password.
3) Since you have defined both server for authentication and accounting ie 219 and 218 it is sending accounting to 218, as it is also defined as accounting server and firewall it active.
Use only
aaa-server tacacs-auth (dept-outside) host 10.1.26.218 key tacacs-secret
aaa-server tacacs-acct (dept-outside) host 10.1.26.219 key tacacs-secret
Now auth should go to 218 and acc to 219.
Regards,
~JG
Do rate helpful posts
Similar Messages
-
Question about usage of aaa accounting commands
Hi everyone,
I have the problem that Cisco routers and switches do not send some accounting command
information to ACS.
Accounting commands do not send to ACS are "show log" and "show version".
Accounting commands send to ACS are "show runn", "conf t" and "debug"
The configuration of routers and switches is the following
aaa new-model
aaa authentication login default group tacacs+ line
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
tacacs-server host xxx.xxx.xxx.xxx key yyyy
I think the commands do not send to ACS are privilege level 1 command and the commands
send to ACS are privilege level 15 command.
So I need to additional aaa accounting command below to get routers and switches send level 1
command to ACS, because the "15" of "aaa accounting commands 15" does not include level 1
so need to configure "aaa accounting commands 1" for level 1 commands.
aaa accounting commands 1 default start-stop group tacacs+
Is my understanding correct ?
Your information would be greatly appreciated.
Best regards,Hi,
plese do this and the router will send
everything to the ACS server, except
whatever you are doing to the router in http:
aaa new-model
aaa authentication login notac none
aaa authentication login VTY group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec notac none
aaa authorization exec VTY group tacacs+ if-authenticated none
aaa authorization commands 0 VTY group tacacs+ if-authenticated none
aaa authorization commands 1 VTY group tacacs+ if-authenticated none
aaa authorization commands 15 VTY group tacacs+ if-authenticated none
aaa authorization network VTY group tacacs+ if-authenticated none
aaa accounting exec VTY start-stop group tacacs+
aaa accounting commands 0 VTY start-stop group tacacs+
aaa accounting commands 1 VTY start-stop group tacacs+
aaa accounting commands 15 VTY start-stop group tacacs+
aaa accounting network VTY start-stop group tacacs+
aaa accounting connection VTY start-stop group tacacs+
aaa session-id common
ip http authentication aaa login-authentication VTY
ip http authentication aaa exec-authorization VTY
tacacs-server host 192.168.15.10 key 7 1446405858517C
tacacs-server directed-request
line con 0
exec-timeout 0 0
authorization exec notac
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
logging synchronous
login authentication notac
line aux 0
session-timeout 35791
exec-timeout 35791 23
authorization exec notac
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
login authentication notac
transport input all
line vty 0
exec-timeout 0 0
authorization commands 0 VTY
authorization commands 1 VTY
authorization commands 15 VTY
authorization exec VTY
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
login authentication VTY
David
CCIE Security -
Missing aaa accounting commands
Hi,
I might be being REALLY STUPID, but I am trying to config a 12.3 IOS router to send command accounting records to an ACS 3.3 server via RADIUS.
When a input the 'aaa accounting commands 15 default group radius' command, it is accepted by the router, but show the config, and its not there. This is the same for all command levels. This router is logging VoIP accounting records too, to the same RADIUS box, without problems.
Have I missed somthing about setting up AAA ?
Grateful for any help!
Thanks
Pete MooreEven if IOS did support it, the format of any RADIUS cmd accounting will be inferior for a couple of reasons
1) The ACS TACACS+ reports are totally geared up for this with pre-defined columns for each T+ attrbute.
2) ACS has a dedicated cmd accounting report which splits out cmds from sessions
3) To package in RADIUS, IOS would have to create many cisco-av-pair VSA instances. In the RADIUS accounting logs these will all be compressed into a single column of the format
"attr1=value1;attr2=value2;..."
Depending on what you want to do with the data this format is quite restrictive.
My advice is to enable TACACS+
Darran -
3640 RAS aaa accounting on IAS Server
Hi gentlemen,
I have configured aaa accounting on Cisco 3640 RAS and I need collect the aaa remote user time connections (start and end time connections) for time management cost.
Accounting information received on IAS seems to be only from start remote connection and never to stop connection.
I don't know if the problem is on 3640 configuration or on IAS configuration, but I would undertood if my configuration is correct.
I send RAS config file to you.
Many Thank in advance,
LucaLuca
I have looked at the config that you posted and I believe that I see an issue. You have configured accounting for DIALER with this method list:
aaa accounting network DIALER start-stop group radius
I would expect to see the method list DIALER accounting referenced under interfaces Serial1/0:15, interface Virtual-Template1, and interface Group-Async10. I suggest that you add:
ppp accounting DIALER
under these interfaces and let us know if it helps.
HTH
Rick -
hi guys , i m facing this strange problem kindly check the config below
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa accounting update periodic 1
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common
tacacs-server host x.x.x.x key abcdse
ip tacacs source-interface fas 0/0
now everything was working fine but a strange issue has been arrised, when i check the tacacs administration report it just shows me log upto 4 rows and no more !!! like see if i have done this configuration on router
config t
int lo 0
ip add 20.0.0.1 255.0.0.0
int lo 1
ip add 30.0.0.1 255.0.0.0
now when i check the accouting report ( administration report ) it just shows me the first 4 commands
config t
int lo 0
ip add 20.0.0.1 255.0.0.0
int lo 1
thats it !!! why is this so ?? any 1 has any idea why is this happening
thanksI would use the following:
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa accounting resource default start-stop group tacacs+
aaa accounting resource default start-stop group tacacs+
CCIE Security -
Hi,
I have problem authenticating ciscoworks 3.2 to Cisco Nexus, i get this log
" %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user ciscow from x.x.x.x - login[4857] "
I am using snmp v2.
I have also notice that nexus does not except symboles in the community string, why ?
thankshi, i was checking the logs on nexus and i found
2011 Apr 25 07:34:53 test %SYSLOG-3-SYSTEM_MSG: Syslog could not be send to server(172.16.1.1) : No such file or directory
What does it mean? in acs i can see that it is not authenticating
Date
Time Message-Type User-Name Group-Name Caller-ID Network Access Profile Name Authen-Failure-Code Author-Failure-Code Author-Data NAS-Port NAS-IP-Address Filter Information PEAP/EAP-FAST-Clear-Name EAP Type EAP Type Name Reason Access Device Network Device Group
04/24/2011
10:27:29
Authen failed
ciscow
Network Group
172.16.1.1
(Default)
CS password invalid
3002
172.16.1.232
test
pool
but i am able to use my username and password which is configured on acs server ( i am able to login to nexus using my credentials from acs server)
o/p of some show commands
test# sh aaa accounting
default: group ACS
test# sh aaa authentication
default: group ACS
console: group ACS
test# sh aaa authorization
pki-ssh-cert: local
pki-ssh-pubkey: local
AAA command authorization:
test# sh aaa groups
radius
ACS
show run
tacacs-server key 7 "xxxx"
tacacs-server host 172.16.1.230 key 7 "xxxx"
aaa group server tacacs+ ACS
server 172.16.1.230
source-interface Vlan1
aaa authentication login default group ACS
aaa authentication login console group ACS
aaa accounting default group ACS
tacacs-server directed-request
logging server 172.16.1.1
logging server 172.16.1.230
i hope this will help u to identify my issue
thanks -
I have a customer with Cat6500 and WLSM running WDS. The APs and dot1x clients can authenticate with the ACS server. However, we cannot get any accounting information. We have tried configuring the WLSM with the following commands:
aaa accounting network default start-stop group ClientDevices
aaa accounting resource default start-stop group ClientDevices
aaa accounting auth-proxy default start-stop group ClientDevices
but none of these work. Devices are running the following code:
Cat6500/Sup720 - 12.2(18)SXD5
WLSM - 12.3(4)JA
1200APs - 12.3(7)JA2
Any assistance would be greatly appreciated.
TraceyI set this up in the lab using an AP as the WDS and got the same problem; authentication logs but no accounting logs. Here are excerpts from the configs:
AP:
no aaa new-model
dot11 ssid eduroam
vlan 1800
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa
mobility network-id 180
wlccp ap username xxxx password xxxx
wlccp ap wds ip address 172.30.2.174
WLSM:
aaa new-model
aaa group server radius AccessPoints
server 130.x.x.139 auth-port 1645 acct-port 1646
aaa group server radius ClientDevices
server 130.x.x.32 auth-port 1812 acct-port 1813
aaa authentication login Leap-devices group AccessPoints
aaa authentication login client-authentication group ClientDevices
aaa session-id common
radius-server host 130.x.x.32 auth-port 1812 acct-port 1813 key 7
radius-server host 130.209.13.139 auth-port 1645 acct-port 1646 key 7
wlccp authentication-server infrastructure Leap-devices
wlccp authentication-server client any client-authentication
wlccp wds interface Ethernet0/0.2
wlccp wnm ip address 172.20.18.58
The WLSM currently does not have any aaa accounting config. The following commands have been tried with no success:
aaa accounting network default start-stop group ClientDevices
aaa accounting resource default start-stop group ClientDevices
aaa accounting auth-proxy default start-stop group ClientDevices
Thanks for your help.
Tracey -
Accounting problem with CISCO 5200
Hello!
I have CISCO 5200 with the following config:
aaa accounting delay-start
aaa accounting update periodic 5
aaa accounting network default start-stop radius
Also, I have radius server (freeradius) connected with SQL database.
Alive-packets (from cisco) don't include information about sent/received bytes (AcctInputOctects/AcctOutputOctets), however, the "Stop
records" include such information.
So, is it possible to enable AcctInputOctects/AcctOutputOctets in the alive-packets from CISCO 5200? How?
Sincerely Yours,
Axe SkyAxe Sky,
Could you help me with how you did your config on the freeradius server? I am currently trying to configure 802.1x port authentication on a 2950 but really have no idea were to start with the freeradius server. I have looked at the text files but not sure what to configure to make this work. Any help in this matter would be greatly appreciated. -
Missing Tunnel-Client-Endpoint attribute in AAA accounting from 2821
I am trying to optimise the detailed accounting records for VPN client connections on our system
but have noticed I am not receiving Tunnel-Client-Endpoint (attribute 66) in tunnel start accounting records from the router.
The VPN functionality works fine, this is just an accounting issue.
All other accouting attributes I need are received fine (times, username, VPN Framed IP, NAS identifier).
The system details are:
VPN server : Cisco 2821 with IOS 12.4(11)XW3
Tunnel type: VPDN, PPTP, MPPE 128bit, MS-CHAPv2
Accouting RADIUS: Microsoft Windows Server 2008 R2 NPS
I have used the same setup many times previously on various 2801, 2811, and 2911 platfroms with no issue (across v12 and v15 IOS).
Sending attribute 66 "Tunnel-Client-Endpoint" appeared to be standard for any tunnel setup, no config was require to send it.
Does anyone know a reason why this fairly standard tunnel RADIUS attribute is not being sent to us from the router in this case?
Example debug of tunnel start accounting message, showing that attribute 66 is not included in info sent to accouting server:
Jun 25 2013 14:55:13.591 AEST: RADIUS/ENCODE(0000061A):Orig. component type = VPDN
Jun 25 2013 14:55:13.595 AEST: RADIUS(0000061A): Config NAS IP: 0.0.0.0
Jun 25 2013 14:55:13.595 AEST: RADIUS(0000061A): sending
Jun 25 2013 14:55:13.595 AEST: RADIUS/ENCODE: Best Local IP-Address 192.168.xxx.xxx for Radius-Server 192.168.xxx.xxx
Jun 25 2013 14:55:13.595 AEST: RADIUS(0000061A): Send Accounting-Request to 192.168.xxx.xxx:1646 id 1646/220, len 184
Jun 25 2013 14:55:13.595 AEST: RADIUS: authenticator D7 DD 05 D9 72 FC 72 9C - 02 E0 6A FD D1 AC DB 06
Jun 25 2013 14:55:13.595 AEST: RADIUS: Acct-Session-Id [44] 10 "00000642"
Jun 25 2013 14:55:13.595 AEST: RADIUS: Tunnel-Medium-Type [65] 6 00:IPv4 [1]
Jun 25 2013 14:55:13.595 AEST: RADIUS: Tunnel-Assignment-Id[82] 3 "1"
Jun 25 2013 14:55:13.595 AEST: RADIUS: Tunnel-Server-Auth-I[91] 14 "********"
Jun 25 2013 14:55:13.595 AEST: RADIUS: Acct-Tunnel-Connecti[68] 4 "44"
Jun 25 2013 14:55:13.595 AEST: RADIUS: Framed-Protocol [7] 6 PPP [1]
Jun 25 2013 14:55:13.595 AEST: RADIUS: Framed-IP-Address [8] 6 192.168.xxx.xxx
Jun 25 2013 14:55:13.595 AEST: RADIUS: User-Name [1] 10 "*********"
Jun 25 2013 14:55:13.595 AEST: RADIUS: Acct-Authentic [45] 6
Jun 25 2013 14:55:13.595 AEST: RADIUS: Acct-Status-Type [40] 6 Start [1]
Jun 25 2013 14:55:13.595 AEST: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
Jun 25 2013 14:55:13.595 AEST: RADIUS: NAS-Port [5] 6 426
Jun 25 2013 14:55:13.595 AEST: RADIUS: NAS-Port-Id [87] 17 "Uniq-Sess-ID426"
Jun 25 2013 14:55:13.595 AEST: RADIUS: Class [25] 46
Jun 25 2013 14:55:13.595 AEST: RADIUS: 69 89 04 FA 00 00 01 37 00 01 02 00 C0 A8 AC 01 [i??????7????????]
Jun 25 2013 14:55:13.595 AEST: RADIUS: 00 00 00 00 00 00 00 00 00 00 00 00 01 CE 6E 22 [??????????????n"]
Jun 25 2013 14:55:13.595 AEST: RADIUS: 2F A7 37 14 00 00 00 00 00 00 00 29 [/?7????????)]
Jun 25 2013 14:55:13.595 AEST: RADIUS: Service-Type [6] 6 Framed [2]
Jun 25 2013 14:55:13.595 AEST: RADIUS: NAS-IP-Address [4] 6 192.168.xxx.xxx
Jun 25 2013 14:55:13.595 AEST: RADIUS: Acct-Delay-Time [41] 6 0
Jun 25 2013 14:55:13.691 AEST: RADIUS: Received from id 1646/220 192.168.xxx.xxx:1646, Accounting-response, len 20
Jun 25 2013 14:55:13.691 AEST: RADIUS: authenticator E8 EC 1C 30 D2 01 8E D8 - 15 10 09 5F 37 95 D4 25
Important config
aaa new-model
aaa authentication login default local group radius
aaa authentication ppp default local group radius
aaa authorization exec default local group radius
aaa authorization network default local group radius
aaa accounting delay-start
aaa accounting session-duration ntp-adjusted
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
aaa session-id common
vpdn enable
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
interface Virtual-Template1
ip unnumbered Dialer1
ip nat inside
ip virtual-reassembly
peer default ip address pool VPN
no keepalive
ppp encrypt mppe 128
ppp authentication ms-chap-v2
ip local pool VPN 192.168.xxx.xxx 192.168.xxx.xxx
radius-server host 192.168.xxx.xxx auth-port 1645 acct-port 1646 key 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxLarry,
1) Please set up enable authentication to get the actual user name,
aaa authentication enable console tacacs-auth LOCAL
On ACS user setup you need to set up tacacs+ enable password.
3) Since you have defined both server for authentication and accounting ie 219 and 218 it is sending accounting to 218, as it is also defined as accounting server and firewall it active.
Use only
aaa-server tacacs-auth (dept-outside) host 10.1.26.218 key tacacs-secret
aaa-server tacacs-acct (dept-outside) host 10.1.26.219 key tacacs-secret
Now auth should go to 218 and acc to 219.
Regards,
~JG
Do rate helpful posts -
Hello,
Does anyone know if a WLC 5508 can tie into AAA accounting in order to enable departmental chargeback for WLAN services ? (keep track of usage by department, and charge accordingly)Thank you Nick. (It think you have answered another post of mine)
I feel like all I do is ask ask ask, I need to start answering ?'s ....maybe after a couple hundred posts will I know enough to be helpful -
Enable aaa accounting commands for all privilege levels?
Here is the command's syntax:
aaa accounting {auth-proxy | system | network | exec | connection | commands level} {default | list-name} {start-stop | stop-only | none} [broadcast] group groupname
The "command" accounting type must include the privilege level of the commands you are logging. How do I log ALL commands?
Take the following example:
aaa accounting commands 15 default start-stop group mygroup
If I issue this command will that mean commands the user executes that have a privilege level lower than 15 will not be logged? Or only commands that require exactly privilege level 15 will be logged?
How can I log all commands regardless of privilege level?Hi Red,
If you customize the command privilege level using the privilege command, you can limit which commands the appliance accounts for by specifying a minimum privilege level. The security appliance does not account for commands that are below the minimum privilege level.
The default privilege level is 0. So if you don't specify any privilege level then all should be accounted for.
You can find the command detail at. This is for ASA though.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/command/reference/cmd_ref/a1.html#wp1535253
Regards,
Kanwal
Note: Please mark answers if they are helpful. -
I have just started logging AAA accounting commands on my ACS. I am able to view all commands entered without any trouble. I would like to NOT see commands entered from one particular source. I have an IDS device that shuns to a router. The shunning frequency causes the ACS TACACS+ admin report to become full and unusable. Any ideas on how to exempt commands issued by the IDS?
I have considered setting up multiple vty line configurations. Set up a vty 0 0 and vty 1 4. Configure the vty 0 0 to use something other than the 'default' AAA group. This, of course, assumes that the IDS will always use vty 0 and everyone else will use vty 1 - 4.
Thanks, RickGive extraxi aaa-reports! a try (free trial version available)
We offer loads of great canned reports for device admin.. and more importantly you can filter out stuff you dont want during import.
Once the CSVs are imported we also have a visual query builder for drilling down into your data - with the results exportable to word/excel/html etc.
Our csvsync utility can also harvest CSV logs from any number of ACS servers of any version and type (sw & appliance)
We are a Cisco Technology Partner and aaa-reports! is tested "Cisco Compatible"
Darran -
AAA accounting on ASA 5510/ 8.4(1)
I have AAA accounting setup and working on my ASA 5510 running 8.4(1). I can account specific service based on TCP ports, etc. I want to do accounting for VPN use sessions for when users connect and disconnect from the VPN in the 5510. I found several docs online but the code syntax on how to do it seems to be obsolete in 8.4(1). Any help would be grearly appreciated.
Thanks much
MikeHello,
This is a very simple setup.
You may want to configure something like this
Hostname (config)# tunnel-group xxx type xxxx
Hostname (config)# tunnel-group xxx general-attributes
Hostname (config-tunnel-general)# accounting-server-group aaa_server
Please do not hesitate to contact me if you have any question.
Erick Delgado
AAA TEAM -
I noticed a forum regarding Caldav account problems for the Iphone, however, is there one for the Ipad? I have tried the suggestions of logging into my yahoo account, searching for my password under settings/mail/account, etc., and that has not worked. I have also gone into my calendar and unchecked my name as to unsync my calendar/caldav. I still cannot get into my Ipad, it has locked me out and asked for the Caldav account password. Does anyone have a solution for the iPad Caldav issue?
I noticed a forum regarding Caldav account problems for the Iphone, however, is there one for the Ipad? I have tried the suggestions of logging into my yahoo account, searching for my password under settings/mail/account, etc., and that has not worked. I have also gone into my calendar and unchecked my name as to unsync my calendar/caldav. I still cannot get into my Ipad, it has locked me out and asked for the Caldav account password. Does anyone have a solution for the iPad Caldav issue?
-
Question on AAA accounting command?
Is AAA command “aaa accounting commands 15 default start-stop group” just for tacacs+ groups and not for radius?
jjohnston1127 answered correctly. Command authorization and command accounting are only supported by the tacacs protocol.
You will not even see an option for radius.
jkatyel(config)#aaa accounting commands 15 default start-stop gr
jkatyel(config)#aaa accounting commands 15 default start-stop group ?
WORD Server-group name
tacacs+ Use list of all Tacacs+ hosts.
Accounting supported by radius
https://tools.ietf.org/html/rfc2866
Regards,
Jatin Katyal
*Do rate helpful posts*
Maybe you are looking for
-
Hi when i try to capture hdv footage from my sony hdr-hc9 THE APPLICATION QUITS It used to work but now.... My settings are 1080i60 Firewirebasic
-
Jdbc to file scenario - base mapping error
hello all, i am facing a similar issue discussed in this thread, Re: JDBC to FILE scenatio: How to map the resultSet? 1. i changed the document name and namespace 2. i checked for the occurence of the filed elements 3. i tried using the documentname
-
Problem in printing German characters
Hello Experts, We have one issue regarding printing of German characters. Issue : When an invoice is created an automatic printout is issued to printer and one is archived in Vf03 (path : invoice header data-> output -> edit -> diplay originals). In
-
Just got a new Apple TV. I wondered if I really need it as my TV (Samsung 6 series) already got music streaming and internet capabilities. While I succeeded to a) get music played from Itunes, b) viewing photos and b) watching Youtube videos (a + b w
-
Oracle9i Data Guard - Filtering for a Logical Standby DB?
Hello All 1) When using Oracle9i data guard with a logical standby database is it possible to "screen" the sql statements that are executed? For example if I don't want any "delete" commands to be replicated on the standby box can I filter them out?.