AAA accouting (commands information)
hi,
Currently i am using aaa accouting for 3560 switches with ACS4.1 solution engine. I want to log the IOS commands entered. I have chosen the "cmd" and "cmd-arg" field in the CSV and syslog (tacacs+ accounting), these field are empty (..) when the csv record is seen on the ACS server and syslog server. Can some body tell how i can log the commands entered after the authentication with ACS is successful.
Regards
Naresh
Naresh,
Command accounting only works with tacacs and not with radius. Make sure we are using tacacs.
Here are the command you need on IOS
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 aaa-list start-stop group tacacs+
aaa accounting commands 15 aaa-list start-stop group tacacs+
These logs are stored in tacacs administration report, so make sure you are checking the correct head.
Still it is not working then check acs code. Incase it is 4.1.1 then you need to apply patch 5 to fix it.
To download patch for appliance,
http://www.cisco.com/cgi-bin/tablebuild.pl/acs-soleng-3des
For windows
http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-3des
Regards,
~JG
Do rate helpful posts
Similar Messages
-
Question about usage of aaa accounting commands
Hi everyone,
I have the problem that Cisco routers and switches do not send some accounting command
information to ACS.
Accounting commands do not send to ACS are "show log" and "show version".
Accounting commands send to ACS are "show runn", "conf t" and "debug"
The configuration of routers and switches is the following
aaa new-model
aaa authentication login default group tacacs+ line
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
tacacs-server host xxx.xxx.xxx.xxx key yyyy
I think the commands do not send to ACS are privilege level 1 command and the commands
send to ACS are privilege level 15 command.
So I need to additional aaa accounting command below to get routers and switches send level 1
command to ACS, because the "15" of "aaa accounting commands 15" does not include level 1
so need to configure "aaa accounting commands 1" for level 1 commands.
aaa accounting commands 1 default start-stop group tacacs+
Is my understanding correct ?
Your information would be greatly appreciated.
Best regards,Hi,
plese do this and the router will send
everything to the ACS server, except
whatever you are doing to the router in http:
aaa new-model
aaa authentication login notac none
aaa authentication login VTY group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec notac none
aaa authorization exec VTY group tacacs+ if-authenticated none
aaa authorization commands 0 VTY group tacacs+ if-authenticated none
aaa authorization commands 1 VTY group tacacs+ if-authenticated none
aaa authorization commands 15 VTY group tacacs+ if-authenticated none
aaa authorization network VTY group tacacs+ if-authenticated none
aaa accounting exec VTY start-stop group tacacs+
aaa accounting commands 0 VTY start-stop group tacacs+
aaa accounting commands 1 VTY start-stop group tacacs+
aaa accounting commands 15 VTY start-stop group tacacs+
aaa accounting network VTY start-stop group tacacs+
aaa accounting connection VTY start-stop group tacacs+
aaa session-id common
ip http authentication aaa login-authentication VTY
ip http authentication aaa exec-authorization VTY
tacacs-server host 192.168.15.10 key 7 1446405858517C
tacacs-server directed-request
line con 0
exec-timeout 0 0
authorization exec notac
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
logging synchronous
login authentication notac
line aux 0
session-timeout 35791
exec-timeout 35791 23
authorization exec notac
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
login authentication notac
transport input all
line vty 0
exec-timeout 0 0
authorization commands 0 VTY
authorization commands 1 VTY
authorization commands 15 VTY
authorization exec VTY
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
login authentication VTY
David
CCIE Security -
Sending AAA accouting log records to multiple AAA servers
IOS version c3640-a3jk9s-mz.123-18.bin
aaa group server tacacs+ cciesec
server 192.168.3.10
aaa group server tacacs+ ccievoice
server 192.168.3.11
aaa authentication login VTY group cciesec local
aaa accounting exec cciesec start-stop broadcast group cciesec group ccievoice
aaa accounting commands 0 cciesec start-stop broadcast group cciesec group ccievoice
aaa accounting commands 1 cciesec start-stop broadcast group cciesec group ccievoice
aaa accounting commands 15 cciesec start-stop broadcast group cciesec group ccievoice
tacacs-server host 192.168.3.10 key 123456
tacacs-server host 192.168.3.11 key 123456
C3640#sh tacacs
Tacacs+ Server : 192.168.3.10/49
Socket opens: 8
Socket closes: 8
Socket aborts: 0
Socket errors: 0
Socket Timeouts: 0
Failed Connect Attempts: 0
Total Packets Sent: 21
Total Packets Recv: 21
Tacacs+ Server : 192.168.3.11/49
Socket opens: 0
Socket closes: 0
Socket aborts: 0
Socket errors: 0
Socket Timeouts: 0
Failed Connect Attempts: 0
Total Packets Sent: 0
Total Packets Recv: 0
C3640#
As you can see, I can receive AAA accounting logs on server 192.168.3.10 but I am not getting logs on 192.168.3.11. I can confirm this with
tcpdump on host 192.168.3.11 and that I am not seeing any sent AAA to host 192.168.3.11.
Anyone know why?http://www.cisco.com/en/US/docs/ios/12_1t/12_1t1/feature/guide/dt_aaaba.html
It stated the following:
"Before the introduction of the AAA Broadcast Accounting feature, Cisco IOS AAA could send accounting information to only one server at a time. This feature allows accounting information to be sent to one or more AAA servers at the same time. Service providers are thus able to simultaneously send accounting information to their own private AAA servers and to the AAA servers of their end customers. This feature also provides redundant billing information for voice applications." -
Missing aaa accounting commands
Hi,
I might be being REALLY STUPID, but I am trying to config a 12.3 IOS router to send command accounting records to an ACS 3.3 server via RADIUS.
When a input the 'aaa accounting commands 15 default group radius' command, it is accepted by the router, but show the config, and its not there. This is the same for all command levels. This router is logging VoIP accounting records too, to the same RADIUS box, without problems.
Have I missed somthing about setting up AAA ?
Grateful for any help!
Thanks
Pete MooreEven if IOS did support it, the format of any RADIUS cmd accounting will be inferior for a couple of reasons
1) The ACS TACACS+ reports are totally geared up for this with pre-defined columns for each T+ attrbute.
2) ACS has a dedicated cmd accounting report which splits out cmds from sessions
3) To package in RADIUS, IOS would have to create many cisco-av-pair VSA instances. In the RADIUS accounting logs these will all be compressed into a single column of the format
"attr1=value1;attr2=value2;..."
Depending on what you want to do with the data this format is quite restrictive.
My advice is to enable TACACS+
Darran -
Enable aaa accounting commands for all privilege levels?
Here is the command's syntax:
aaa accounting {auth-proxy | system | network | exec | connection | commands level} {default | list-name} {start-stop | stop-only | none} [broadcast] group groupname
The "command" accounting type must include the privilege level of the commands you are logging. How do I log ALL commands?
Take the following example:
aaa accounting commands 15 default start-stop group mygroup
If I issue this command will that mean commands the user executes that have a privilege level lower than 15 will not be logged? Or only commands that require exactly privilege level 15 will be logged?
How can I log all commands regardless of privilege level?Hi Red,
If you customize the command privilege level using the privilege command, you can limit which commands the appliance accounts for by specifying a minimum privilege level. The security appliance does not account for commands that are below the minimum privilege level.
The default privilege level is 0. So if you don't specify any privilege level then all should be accounted for.
You can find the command detail at. This is for ASA though.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/command/reference/cmd_ref/a1.html#wp1535253
Regards,
Kanwal
Note: Please mark answers if they are helpful. -
I have just started logging AAA accounting commands on my ACS. I am able to view all commands entered without any trouble. I would like to NOT see commands entered from one particular source. I have an IDS device that shuns to a router. The shunning frequency causes the ACS TACACS+ admin report to become full and unusable. Any ideas on how to exempt commands issued by the IDS?
I have considered setting up multiple vty line configurations. Set up a vty 0 0 and vty 1 4. Configure the vty 0 0 to use something other than the 'default' AAA group. This, of course, assumes that the IDS will always use vty 0 and everyone else will use vty 1 - 4.
Thanks, RickGive extraxi aaa-reports! a try (free trial version available)
We offer loads of great canned reports for device admin.. and more importantly you can filter out stuff you dont want during import.
Once the CSVs are imported we also have a visual query builder for drilling down into your data - with the results exportable to word/excel/html etc.
Our csvsync utility can also harvest CSV logs from any number of ACS servers of any version and type (sw & appliance)
We are a Cisco Technology Partner and aaa-reports! is tested "Cisco Compatible"
Darran -
Question on AAA accounting command?
Is AAA command “aaa accounting commands 15 default start-stop group” just for tacacs+ groups and not for radius?
jjohnston1127 answered correctly. Command authorization and command accounting are only supported by the tacacs protocol.
You will not even see an option for radius.
jkatyel(config)#aaa accounting commands 15 default start-stop gr
jkatyel(config)#aaa accounting commands 15 default start-stop group ?
WORD Server-group name
tacacs+ Use list of all Tacacs+ hosts.
Accounting supported by radius
https://tools.ietf.org/html/rfc2866
Regards,
Jatin Katyal
*Do rate helpful posts* -
Does "aaa accounting commands" not support radius?
When I issue this command:
aaa accounting commands 15 default start-stop group myradiusgroup
I get this error: %AAAA-4-SERVNOTACPLUS: The server-group "myradiusgroup" is not a tacacs+ server group. Please define "myradiusgroup" as a tacacs+ server group.
No where in the documentation could I find anything saying the "commmands" accounting type is only available to tacacs+. Does aaa not support this accounting type for radius?Hi Red,
The Cisco implementation of RADIUS does not support command accounting. So that's the reason you are getting that error. Please use TACACS if you want to use this.
Regards,
Kanwal
Note: Please mark answers if they are helpful. -
Aaa accounting commands levels
Hello,
I am confused on aaa accounting. If I wish to account all commands and the levels I have configured are say 5 and 15, do I need to include level 0 in my aaa accounting commands?Hello,
By default on IOS devices we have three commands distributed over three privilege levels i.e.,
Level 0
Level 1, and
Level 15.
If you explicitly donot change the privilege level of command(s), then only commands that you require to enter in an IOS device to monitor all commands executed over device is:
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
I have defined TACACS+ as the as the accounting server, as it jells best for adminstrative purposes i.e. Shell Command authorization
Let me know if this clarifies your doubt :) -
Aaa authorization commands for pix 535
Hi ,
Can you provide aaa authorization commands for pix 535
Sanjay Nalawade.Hi,
Please find the AAA config for PIX.
aaa-server TACACS+ protocol tacacs+
max-failed-attempts 5
aaa-server TACACS+ (ExranetFW-In) host
timeout 5
key ********
aaa authentication enable console TACACS+ LOCAL
aaa authentication serial console TACACS+ LOCAL
aaa authentication http console TACACS+ LOCAL
aaa authentication ssh console TACACS+ LOCAL
aaa authorization command LOCAL
aaa accounting command privilege 15 TACACS+
aaa authorization exec authentication-server
Karuppuchamy -
Hi All
Probably i am going to ask a stupid question but i am really confused regarding the purpose of "aaa authorization commands x default local" command. I understand that if this command is configured, it authorizes each and every command of that level but in my experience, this command is not doing anything. The outcome is same whether it is configured or not.
Following is my aaa part config
username cisco privilege 15 secret cisco
aaa new-model
aaa authentication login default local enable
aaa authorization exec default local if-authenticated
aaa authorization commands 15 default local if-authenticated
Now whether i keep the last command or remove it, username "cisco" is able to use every level 15 command so my question is, why i bother configuring this command?
Would really appreciate your quick reply
RegardsThanx a lot for your quick response. Really appreciate that.
So does this mean, can i safely assume that if i am using local database then i don't require "aaa authorization command level" command??
that is following should be the config
username cisco privilege 15 secret cisco
aaa new-model
aaa authentication login default local enable
aaa authorization exec default local if-authenticated
privilege exec level 15 show (just an example)
privilege exec level 15 debug
I have tested this and it worked fine without using "aaa authorization command level"
Moreover, regarding the use of AAA server, my eventual plan is to use TACACS+ but before that, i wanted to get a good grip of AAA functionality and therefore started off with local user database.
So u mean to say, if i am using TACACS+ for authentication and authorization purposes and in ACS Server, user "cisco" has been assigned level 15 but with authorization set of "show" and "debug" only then by using "aaa authorization commands level" in a router, i can successfully restrict user "cisco" to "debug" and "show" only? In my point of view, i can achieve this anyway (restricting "cisco" user to only use "show and debug) without using "aaa authorization command level" (like i tested with local database)??
will really appreciate your kind response -
Exclude specific user from aaa authorization commands
Hi there,
I am trying to find a solution to exclude specific users from being authorized (AAA command authorization) when entering commands on the switch/router.
We use an AAA setup with Cisco ACS. On the devices we use:
aaa authorization config-commands
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 5 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
is it possible, to exclude an user, say User1, from being command authorized?
In other words, when User1 logs on the switch/router, the switch/router shouldn't check the ACS if User1 is authorized to use this command.
We tried this with method lists in combination with ACL's on the VTY's:
line VTY 0
access-class 1 in
line VTY 1
access-class 2 in
Let's say, User1 always logs in from a specific IP, which is mentioned in access-list 2, the switch would use the method mentioned within the line vty 1.
But apparently, when a remote connection is being established, the switch/router uses the first VTY which is available, instead of watching which ACL can be matched to the source IP from the User.
Does anyone have some tips/tricks how to handle this?
Maybe a custom attribute from the ACS?
Kind RegardsIf that user belongs to a unique group then you can write a policy where "if the user is in group x then return "access_reject" Or return "access_accept" but set the privilege level to "1" and block all commands.
Thank you for rating helpful posts! -
Hi!
I have issued the aaa authorization command tacacs on my asa, but the ACS is not letting me do any command now. I'm trying to issue the no
aaa authorization command tacacs, but it does not let me.
How can i rollback??
Please Help me
Tkx
MiguelWhat version of ACS are you running?
If you are running acs 4.x then you will have to go to your group settings and under shell command authorization permit all commands, if you are using acs 5, you will have to go to your authorization policy, click customize if the command set column isnt active already and assign the command set to allow all commands. I think by default there should be a permit all.
Thanks,
Tarik -
Configuring aaa local command authorization
i am a bit struggling with how to configure aaa local command authorization, i am not getting any material also for configuring it. Please tell me how to configure aaa local command authorization.. or possible give me some useful links for that..
Hi,
For aaa authorization command set.Kindly refer to link.
http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_command_reference_chapter09186a00800ca5d4.html
I hope this help.Please rate this post.
cheers
Sachin -
AAA issue ( command authorization failed)
I am getting the issue, and following is the script , cannot find and locate the cause of error !
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname hexxor
boot-start-marker
boot-end-marker
enable secret 5 $1$Y.Nt$aZ9/2rl2DMbEnSGJVqmln1
enable password 7 0525112F05411F075231123E
username hexxor password 7 024D2A103F26243363593D1C2B5C
aaa new-model
aaa authentication login T-AUTH group tacacs+ local
aaa authorization console
aaa authorization config-commands
aaa authorization exec T-AUTHOR group tacacs+ if-authenticated
aaa authorization commands 15 T-AUTHOR group tacacs+ if-authenticated
aaa accounting exec T-ACC start-stop group tacacs+
aaa accounting commands 15 T-ACC start-stop group tacacs+
interface Vlan1
no ip address
interface Vlan50
ip address 128.1.50.54 255.255.255.0
no ip route-cache
ip default-gateway 128.1.50.254
no ip http server
ip http secure-server
ip sla enable reaction-alerts
logging trap debugging
logging 10.241.40.20
logging 128.1.50.245
access-list 1 permit 128.1.50.245
snmp-server host 10.241.40.27 Armageddon
snmp-server host 128.1.50.245 Armageddon
tacacs-server host 10.241.40.22
tacacs-server host 10.241.40.23
tacacs-server directed-request
tacacs-server key 7 020813480E052F2E4D
line con 0
exec-timeout 5 0
password 7 1142374E2332201E2B3D1F210678
authorization commands 15 T-AUTHOR
authorization exec T-AUTHOR
accounting commands 15 T-ACC
accounting exec T-ACC
login authentication T-AUTH
transport preferred none
line vty 0 4
exec-timeout 5 0
password 7 06281801684358174E231727
authorization commands 15 T-AUTHOR
authorization exec T-AUTHOR
accounting commands 15 T-ACC
accounting exec T-ACC
login authentication T-AUTH
transport input telnet
transport output telnet
line vty 5 15
password 7 0228137B2F0B5E2F077A0C35
endBased on what I think I understand in this reply it appears that the problem is caused in the named authorization method of T-AUTHOR. This named method sends an authorization request to the TACACS server. So it appears that the TACACS server is not authorizing the commands that you enter.
I would suggest this as a first test:
- login to the device.
- go into enabl mode.
- attempt the show run command. (I assume that it will fail)
- check on the TACACS server. look in the logs for indications of how it processed the request and why it did not authorize it.
If you want to do a second test to verify the cause of the problem then I would suggest this:
- remove from the config these lines
aaa authorization exec T-AUTHOR group tacacs+ if-authenticated
aaa authorization commands 15 T-AUTHOR group tacacs+ if-authenticated
then login to the device, go into enable mode, attempt the show run command
Try one or both of these tests and post back to tell us of the results.
HTH
Rick
Maybe you are looking for
-
Update problems from 10.3.7.to 10.3.9
Because problems I was encountering with my CoreMidi, CoreAudio plug in, I was force to re-install the system. I used the system disk that came with my Mac Mini (10.3.7), and by accident I cleaned out the drive. Not a problem. The thing is I was runn
-
Auditors and PO Approval Limits
We are in process of an internal audit. One of the advance questions is regarding PO/PR approval limits in Oracle. The auditors have requested an Oracle Report detailing the Buyers Approval limits. I have not found a standard report. Would some one b
-
Std idoc matmas05 details in SAP
Hi, How to see the details (logic etc) in R/3 System for standard idoc MATMAS05 to prepare a FS to interface with external system. Please advise what should i mention in FS in this regard. thank you.
-
Database access only authentication mode don't access in windows mode.
Hi, I Had create new database in sql server authentication mode but don't access in windows mode how, only show authentication mode not show in windows mode .
-
Setting as wplus at next level failed?
Hi, we have a wlc 5508 with 100 AP support. we would like to enable the wplus software for officeextend function ? the 5508 is running on 7.0 software. when i try to activate the license it comes with an error " setting as wplus at next level failed