AAA Accounting 'wait-start' option

I am configuring aaa accounting on a Catalyst 3750 running 12.2(25)SEE, but not have the wait-start option; I only have start-stop and stop-only. So I go to univercd and the wait-start option is in the IOS documentation for 12.0 and prior, but does not show up in documentation for 12.1 and beyond. I cannot find any evidence, however, that the option was removed in any documentation that I have found. So I use start-stop and continue configuring on other devices. Then, I get to a Cisco 2621 router running 12.2(5d), and it does have the wait-start option. Any ideas why it would be available on one and not the other? Is it a router/switch thing? Also, any idea why it disappears from the IOS documentation at version 12.1 and up, even though it shows as an option on a router with 12.2? Thanks.

As I understood it, each device group runs their own source train of IOS and it can all get a bit messy.
for example multiple implementations of 802.1x across the various device types.
A difference between routers and switches is not suprising to an old ex-cisco hack.

Similar Messages

  • Missing Tunnel-Client-Endpoint attribute in AAA accounting from 2821

    I am trying to optimise the detailed accounting records for VPN client connections on our system
    but have noticed I am not receiving Tunnel-Client-Endpoint (attribute 66) in tunnel start accounting records from the router.
    The VPN functionality works fine, this is just an accounting issue.
    All other accouting attributes I need are received fine (times, username, VPN Framed IP, NAS identifier).
    The system details are:
    VPN server : Cisco 2821 with IOS 12.4(11)XW3
    Tunnel type: VPDN, PPTP, MPPE 128bit, MS-CHAPv2
    Accouting RADIUS: Microsoft Windows Server 2008 R2 NPS
    I have used the same setup many times previously on various 2801, 2811, and 2911 platfroms with no issue (across v12 and v15 IOS).
    Sending attribute 66 "Tunnel-Client-Endpoint" appeared to be standard for any tunnel setup, no config was require to send it.
    Does anyone know a reason why this fairly standard tunnel RADIUS attribute is not being sent to us from the router in this case?
    Example debug of tunnel start accounting message, showing that attribute 66 is not included in info sent to accouting server:
    Jun 25 2013 14:55:13.591 AEST: RADIUS/ENCODE(0000061A):Orig. component type = VPDN
    Jun 25 2013 14:55:13.595 AEST: RADIUS(0000061A): Config NAS IP: 0.0.0.0
    Jun 25 2013 14:55:13.595 AEST: RADIUS(0000061A): sending
    Jun 25 2013 14:55:13.595 AEST: RADIUS/ENCODE: Best Local IP-Address 192.168.xxx.xxx for Radius-Server 192.168.xxx.xxx
    Jun 25 2013 14:55:13.595 AEST: RADIUS(0000061A): Send Accounting-Request to 192.168.xxx.xxx:1646 id 1646/220, len 184
    Jun 25 2013 14:55:13.595 AEST: RADIUS:  authenticator D7 DD 05 D9 72 FC 72 9C - 02 E0 6A FD D1 AC DB 06
    Jun 25 2013 14:55:13.595 AEST: RADIUS:  Acct-Session-Id     [44]  10  "00000642"
    Jun 25 2013 14:55:13.595 AEST: RADIUS:  Tunnel-Medium-Type  [65]  6   00:IPv4                   [1]
    Jun 25 2013 14:55:13.595 AEST: RADIUS:  Tunnel-Assignment-Id[82]  3   "1"
    Jun 25 2013 14:55:13.595 AEST: RADIUS:  Tunnel-Server-Auth-I[91]  14  "********"
    Jun 25 2013 14:55:13.595 AEST: RADIUS:  Acct-Tunnel-Connecti[68]  4   "44"
    Jun 25 2013 14:55:13.595 AEST: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
    Jun 25 2013 14:55:13.595 AEST: RADIUS:  Framed-IP-Address   [8]   6   192.168.xxx.xxx          
    Jun 25 2013 14:55:13.595 AEST: RADIUS:  User-Name           [1]   10  "*********"
    Jun 25 2013 14:55:13.595 AEST: RADIUS:  Acct-Authentic      [45]  6  
    Jun 25 2013 14:55:13.595 AEST: RADIUS:  Acct-Status-Type    [40]  6   Start                     [1]
    Jun 25 2013 14:55:13.595 AEST: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
    Jun 25 2013 14:55:13.595 AEST: RADIUS:  NAS-Port            [5]   6   426                      
    Jun 25 2013 14:55:13.595 AEST: RADIUS:  NAS-Port-Id         [87]  17  "Uniq-Sess-ID426"
    Jun 25 2013 14:55:13.595 AEST: RADIUS:  Class               [25]  46 
    Jun 25 2013 14:55:13.595 AEST: RADIUS:   69 89 04 FA 00 00 01 37 00 01 02 00 C0 A8 AC 01  [i??????7????????]
    Jun 25 2013 14:55:13.595 AEST: RADIUS:   00 00 00 00 00 00 00 00 00 00 00 00 01 CE 6E 22  [??????????????n"]
    Jun 25 2013 14:55:13.595 AEST: RADIUS:   2F A7 37 14 00 00 00 00 00 00 00 29              [/?7????????)]
    Jun 25 2013 14:55:13.595 AEST: RADIUS:  Service-Type        [6]   6   Framed                    [2]
    Jun 25 2013 14:55:13.595 AEST: RADIUS:  NAS-IP-Address      [4]   6   192.168.xxx.xxx          
    Jun 25 2013 14:55:13.595 AEST: RADIUS:  Acct-Delay-Time     [41]  6   0                        
    Jun 25 2013 14:55:13.691 AEST: RADIUS: Received from id 1646/220 192.168.xxx.xxx:1646, Accounting-response, len 20
    Jun 25 2013 14:55:13.691 AEST: RADIUS:  authenticator E8 EC 1C 30 D2 01 8E D8 - 15 10 09 5F 37 95 D4 25
    Important config
    aaa new-model
    aaa authentication login default local group radius
    aaa authentication ppp default local group radius
    aaa authorization exec default local group radius
    aaa authorization network default local group radius
    aaa accounting delay-start
    aaa accounting session-duration ntp-adjusted
    aaa accounting exec default start-stop group radius
    aaa accounting network default start-stop group radius
    aaa session-id common
    vpdn enable
    vpdn-group 1
    ! Default PPTP VPDN group
    accept-dialin
      protocol pptp
      virtual-template 1
    interface Virtual-Template1
    ip unnumbered Dialer1
    ip nat inside
    ip virtual-reassembly
    peer default ip address pool VPN
    no keepalive
    ppp encrypt mppe 128
    ppp authentication ms-chap-v2
    ip local pool VPN 192.168.xxx.xxx 192.168.xxx.xxx
    radius-server host 192.168.xxx.xxx auth-port 1645 acct-port 1646 key 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    Larry,
    1) Please set up enable authentication to get the actual user name,
    aaa authentication enable console tacacs-auth LOCAL
    On ACS user setup you need to set up tacacs+ enable password.
    3) Since you have defined both server for authentication and accounting ie 219 and 218 it is sending accounting to 218, as it is also defined as accounting server and firewall it active.
    Use only
    aaa-server tacacs-auth (dept-outside) host 10.1.26.218 key tacacs-secret
    aaa-server tacacs-acct (dept-outside) host 10.1.26.219 key tacacs-secret
    Now auth should go to 218 and acc to 219.
    Regards,
    ~JG
    Do rate helpful posts

  • Question on AAA accounting command?

    Is AAA command “aaa accounting commands 15 default start-stop group” just for tacacs+ groups and not for radius?

    jjohnston1127 answered correctly. Command authorization and command accounting are only supported by the tacacs protocol.
    You will not even see an option for radius.
    jkatyel(config)#aaa accounting commands 15 default start-stop gr
    jkatyel(config)#aaa accounting commands 15 default start-stop group ?
      WORD     Server-group name
      tacacs+  Use list of all Tacacs+ hosts.
    Accounting supported by radius
    https://tools.ietf.org/html/rfc2866
    Regards,
    Jatin Katyal
    *Do rate helpful posts*

  • Question about usage of aaa accounting commands

    Hi everyone,
    I have the problem that Cisco routers and switches do not send some accounting command
    information to ACS.
    Accounting commands do not send to ACS are "show log" and "show version".
    Accounting commands send to ACS are "show runn", "conf t" and "debug"
    The configuration of routers and switches is the following
    aaa new-model
    aaa authentication login default group tacacs+ line
    aaa authorization commands 15 default group tacacs+ none
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    tacacs-server host xxx.xxx.xxx.xxx key yyyy
    I think the commands do not send to ACS are privilege level 1 command and the commands
    send to ACS are privilege level 15 command.
    So I need to additional aaa accounting command below to get routers and switches send level 1
    command to ACS, because the "15" of "aaa accounting commands 15" does not include level 1
    so need to configure "aaa accounting commands 1" for level 1 commands.
    aaa accounting commands 1 default start-stop group tacacs+
    Is my understanding correct ?
    Your information would be greatly appreciated.
    Best regards,

    Hi,
    plese do this and the router will send
    everything to the ACS server, except
    whatever you are doing to the router in http:
    aaa new-model
    aaa authentication login notac none
    aaa authentication login VTY group tacacs+ local
    aaa authentication enable default group tacacs+ enable
    aaa authorization console
    aaa authorization config-commands
    aaa authorization exec notac none
    aaa authorization exec VTY group tacacs+ if-authenticated none
    aaa authorization commands 0 VTY group tacacs+ if-authenticated none
    aaa authorization commands 1 VTY group tacacs+ if-authenticated none
    aaa authorization commands 15 VTY group tacacs+ if-authenticated none
    aaa authorization network VTY group tacacs+ if-authenticated none
    aaa accounting exec VTY start-stop group tacacs+
    aaa accounting commands 0 VTY start-stop group tacacs+
    aaa accounting commands 1 VTY start-stop group tacacs+
    aaa accounting commands 15 VTY start-stop group tacacs+
    aaa accounting network VTY start-stop group tacacs+
    aaa accounting connection VTY start-stop group tacacs+
    aaa session-id common
    ip http authentication aaa login-authentication VTY
    ip http authentication aaa exec-authorization VTY
    tacacs-server host 192.168.15.10 key 7 1446405858517C
    tacacs-server directed-request
    line con 0
    exec-timeout 0 0
    authorization exec notac
    accounting commands 0 VTY
    accounting commands 1 VTY
    accounting commands 15 VTY
    accounting exec VTY
    logging synchronous
    login authentication notac
    line aux 0
    session-timeout 35791
    exec-timeout 35791 23
    authorization exec notac
    accounting commands 0 VTY
    accounting commands 1 VTY
    accounting commands 15 VTY
    accounting exec VTY
    login authentication notac
    transport input all
    line vty 0
    exec-timeout 0 0
    authorization commands 0 VTY
    authorization commands 1 VTY
    authorization commands 15 VTY
    authorization exec VTY
    accounting commands 0 VTY
    accounting commands 1 VTY
    accounting commands 15 VTY
    accounting exec VTY
    login authentication VTY
    David
    CCIE Security

  • HT1750 I have an Itunes account I started on my PC, how to I access that library in my I Mac?

    I have an I tune account I started on a PC, how can I access that account and library on my IMac?

    Click here and pick the option which best fits your situation.
    (94578)

  • WLC 5508 and AAA accounting

    Hello,
    Does anyone know if a WLC 5508 can tie into AAA accounting in order to enable departmental chargeback for WLAN services ?  (keep track of usage by department, and charge accordingly)

    Thank you Nick.  (It think you have answered another post of mine)
    I feel like all I do is ask ask ask, I need to start answering ?'s ....maybe after a couple hundred posts will I know enough to be helpful

  • Enable aaa accounting commands for all privilege levels?

    Here is the command's syntax:
    aaa accounting {auth-proxy | system | network | exec | connection | commands level} {default | list-name} {start-stop | stop-only | none} [broadcast] group groupname
    The "command" accounting type must include the privilege level of the commands you are logging. How do I log ALL commands?
    Take the following example:
    aaa accounting commands 15 default start-stop group mygroup
    If I issue this command will that mean commands the user executes that have a privilege level lower than 15 will not be logged? Or only commands that require exactly privilege level 15 will be logged?
    How can I log all commands regardless of privilege level?

    Hi Red,
    If you customize the command privilege level using the privilege command, you can limit which commands the appliance accounts for by specifying a minimum privilege level. The security appliance does not account for commands that are below the minimum privilege level.
    The default privilege level is 0. So if you don't specify any privilege level then all should be accounted for.
    You can find the command detail at. This is for ASA though.
    http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/command/reference/cmd_ref/a1.html#wp1535253
    Regards,
    Kanwal
    Note: Please mark answers if they are helpful.

  • AAA Accounting Commands

    I have just started logging AAA accounting commands on my ACS. I am able to view all commands entered without any trouble. I would like to NOT see commands entered from one particular source. I have an IDS device that shuns to a router. The shunning frequency causes the ACS TACACS+ admin report to become full and unusable. Any ideas on how to exempt commands issued by the IDS?
    I have considered setting up multiple vty line configurations. Set up a vty 0 0 and vty 1 4. Configure the vty 0 0 to use something other than the 'default' AAA group. This, of course, assumes that the IDS will always use vty 0 and everyone else will use vty 1 - 4.
    Thanks, Rick

    Give extraxi aaa-reports! a try (free trial version available)
    We offer loads of great canned reports for device admin.. and more importantly you can filter out stuff you dont want during import.
    Once the CSVs are imported we also have a visual query builder for drilling down into your data - with the results exportable to word/excel/html etc.
    Our csvsync utility can also harvest CSV logs from any number of ACS servers of any version and type (sw & appliance)
    We are a Cisco Technology Partner and aaa-reports! is tested "Cisco Compatible"
    Darran

  • FireFox is refusing to properly sync and I have even deleted my sync account and started over, why is this happening?

    Up to a few weeks ago FireFox sync was working as expected, but then version 17 rolled out and I had auto update turned on, so all my PCs updated. Quickly I noticed that Roboform Lite didn't work in the new version so I decided to go back to version 16.0.2 on all my PCs to continue using Roboform. I'm confident this must have had some affect on FIrefox Sync, specifically the add-ons, as the bookmarks and others continued to sync properly.
    I've worked on it for 3 days now and after even deleting my sync account and starting from scratch I seem to still be having the same problem. It's weird though, it will begin to sync some of my add-ons, but then stop and refuse to do anymore. I only have about 10 add-ons altogether. Other times it will remove add-ons, which is even more aggravating.
    I also reset FireFox on my main computer that I had initially setup sync.
    Please help me resolve this.
    Mike

    I believe this is a bug in the new Firefox. I'm having the same problem, and so are others on this forum. My guess is just to wait till the next update for some one the bugs to be worked out. FFA was updated recently so it could be FFA's fault

  • Does "aaa accounting commands" not support radius?

    When I issue this command:
    aaa accounting commands 15 default start-stop group myradiusgroup
    I get this error: %AAAA-4-SERVNOTACPLUS: The server-group "myradiusgroup" is not a tacacs+ server group. Please define "myradiusgroup" as a tacacs+ server group.
    No where in the documentation could I find anything saying the "commmands" accounting type is only available to tacacs+. Does aaa not support this accounting type for radius?

    Hi Red,
    The Cisco implementation of RADIUS does not support command accounting. So that's the reason you are getting that error. Please use TACACS if you want to use this.
    Regards,
    Kanwal
    Note: Please mark answers if they are helpful.

  • 3640 RAS aaa accounting on IAS Server

    Hi gentlemen,
    I have configured aaa accounting on Cisco 3640 RAS and I need collect the aaa remote user time connections (start and end time connections) for time management cost.
    Accounting information received on IAS seems to be only from start remote connection and never to stop connection.
    I don't know if the problem is on 3640 configuration or on IAS configuration, but I would undertood if my configuration is correct.
    I send RAS config file to you.
    Many Thank in advance,
    Luca

    Luca
    I have looked at the config that you posted and I believe that I see an issue. You have configured accounting for DIALER with this method list:
    aaa accounting network DIALER start-stop group radius
    I would expect to see the method list DIALER accounting referenced under interfaces Serial1/0:15, interface Virtual-Template1, and interface Group-Async10. I suggest that you add:
    ppp accounting DIALER
    under these interfaces and let us know if it helps.
    HTH
    Rick

  • "Fast Start" option in QuickTime X?

    Please pardon me if this is a trivial question, but I can't seem to find a "Fast Start" option to set in QuickTime X so that videos on the web start to play "progressively" (as they are downloading) rather than waiting until they have completed downloading before starting to play. Does that option exist in QuickTime X?

    QuickTime X has no user defined preferences. Exports have no options except the check boxes for file dimensions.
    Which "save" option did you choose?

  • Aaa accounting for config-mode commands

    How to account commands entered in config-mode via TACACS+ ?
    aaa accounting commands 15 default start-stop group tacacs+
    does accounting for all commands in privilege level 15.
    Best Regards
    Carsten

    Carsten
    I am not clear what your question is. From the title I gather that you are looking for a way to have accounting records for commands entered in config mode. The answer to the question is to enable accounting for level 15 commands which include the config commands. All of which is included in your message. So what is the question?
    If the question is how to get just the config commands without all the other level 15 commands I am not aware of any way to get just the config commands.
    HTH
    Rick

  • AAA accounting strange issue

    hi guys , i m facing this strange problem kindly check the config below
    aaa new-model
    aaa authentication login default group tacacs+ local
    aaa authentication enable default group tacacs+ enable
    aaa accounting update periodic 1
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    aaa session-id common
    tacacs-server host x.x.x.x key abcdse
    ip tacacs source-interface fas 0/0
    now everything was working fine but a strange issue has been arrised, when i check the tacacs administration report it just shows me log upto 4 rows and no more !!! like see if i have done this configuration on router
    config t
    int lo 0
    ip add 20.0.0.1 255.0.0.0
    int lo 1
    ip add 30.0.0.1 255.0.0.0
    now when i check the accouting report ( administration report ) it just shows me the first 4 commands
    config t
    int lo 0
    ip add 20.0.0.1 255.0.0.0
    int lo 1
    thats it !!! why is this so ?? any 1 has any idea why is this happening
    thanks

    I would use the following:
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 0 default start-stop group tacacs+
    aaa accounting commands 1 default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    aaa accounting network default start-stop group tacacs+
    aaa accounting connection default start-stop group tacacs+
    aaa accounting system default start-stop group tacacs+
    aaa accounting resource default start-stop group tacacs+
    aaa accounting resource default start-stop group tacacs+
    CCIE Security

  • Aaa accounting records

    I have asa5510 with aaa accounting configured to microsoft IAS radius without authentication, the output is so confusing more that 40 columns
    is there a way to know the records, at least the essential ones; session-time, bytes-in, bytes-out
    thanks
    Elie

    thanks JG
    there are 2 output options in IAS, DB format and IAS; the DB format does not show the IP addresses.
    the IAS is like below
    192.168.200.1,unknown,01/13/2008,00:00:06,IAS,ISA,5,0,14,193.227.177.130,16,53,40,1,44,10337B5E,4,192.168.200.1,4108,192.168.200.1,4116,9,4128,ASA5510,4154,ASA,5000,ip:source-port=1034,5000,ip:destination-port=53,5000,ip:source-ip=192.168.200.254,5000,ip:destination-ip=193.227.177.130,4136,4,4142,0
    192.168.200.1,unknown,01/13/2008,00:00:06,IAS,ISA,5,0,14,193.227.177.130,16,53,40,2,42,270,43,35,44,10337B5E,46,0,49,0,4,192.168.200.1,4108,192.168.200.1,4116,9,4128,ASA5510,4154,ASA,5000,ip:source-port=1034,5000,ip:destination-port=53,5000,ip:source-ip=192.168.200.254,5000,ip:destination-ip=193.227.177.130,4136,4,4142,0
    192.168.200.1,unknown,01/13/2008,00:00:26,IAS,ISA,5,0,14,192.168.1.252,16,1745,40,1,44,1A38FC26,4,192.168.200.1,4108,192.168.200.1,4116,9,4128,ASA5510,4154,ASA,5000,ip:source-port=4880,5000,ip:destination-port=1745,5000,ip:source-ip=192.168.200.53,5000,ip:destination-ip=192.168.1.252,4136,4,4142,0
    192.168.200.1,unknown,01/13/2008,00:00:56,IAS,ISA,5,0,14,192.168.1.252,16,1745,40,2,42,0,43,0,44,1A38FC26,46,31,49,0,4,192.168.200.1,4108,192.168.200.1,4116,9,4128,ASA5510,4154,ASA,5000,ip:source-port=4880,5000,ip:destination-port=1745,5000,ip:source-ip=192.168.200.53,5000,ip:destination-ip=192.168.1.252,4136,4,4142,0

Maybe you are looking for

  • What version is iPad A1458

    I am looking to buy a keyboard cover for my iPad but don't know what version it is. On the back of the iPad is A1458. How do I find out the version? Thank you.

  • Ipod to windows connection without itunes

    I am wanting to take some data files using my ipod to another computer that doesn't have itunes. Short of downloainging itunes, will just connecting the ipod to a USB port work? That is, will the ipod be visible in My Computer or Windows Explorer in

  • "Skype can't connect. Get help fixing this problem...

    Well, I downloaded Skype. Then, i sign in to my account. And an error pops up on my computer screen that said "Skype can't connect. Get help fixing this problem". Someone help me fix this? Solved! Go to Solution.

  • How to recover deleted pictures in imessage on ipad

    how to recover deleted photos in message on ipad?

  • Can't login to iCloud thru Contacts

    I just updated my business iMac to Mountain Lion - my home laptop has already been updated. When I did, I also had to change my Apple Password. In any event, my phone started issuing questions to update my login for various things (Photostream, etc).