AAA accouting (commands information)

Similar Messages

• Question about usage of aaa accounting commands

  Hi everyone,
  I have the problem that Cisco routers and switches do not send some accounting command
  information to ACS.
  Accounting commands do not send to ACS are "show log" and "show version".
  Accounting commands send to ACS are "show runn", "conf t" and "debug"
  The configuration of routers and switches is the following
  aaa new-model
  aaa authentication login default group tacacs+ line
  aaa authorization commands 15 default group tacacs+ none
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  tacacs-server host xxx.xxx.xxx.xxx key yyyy
  I think the commands do not send to ACS are privilege level 1 command and the commands
  send to ACS are privilege level 15 command.
  So I need to additional aaa accounting command below to get routers and switches send level 1
  command to ACS, because the "15" of "aaa accounting commands 15" does not include level 1
  so need to configure "aaa accounting commands 1" for level 1 commands.
  aaa accounting commands 1 default start-stop group tacacs+
  Is my understanding correct ?
  Your information would be greatly appreciated.
  Best regards,

  Hi,
  plese do this and the router will send
  everything to the ACS server, except
  whatever you are doing to the router in http:
  aaa new-model
  aaa authentication login notac none
  aaa authentication login VTY group tacacs+ local
  aaa authentication enable default group tacacs+ enable
  aaa authorization console
  aaa authorization config-commands
  aaa authorization exec notac none
  aaa authorization exec VTY group tacacs+ if-authenticated none
  aaa authorization commands 0 VTY group tacacs+ if-authenticated none
  aaa authorization commands 1 VTY group tacacs+ if-authenticated none
  aaa authorization commands 15 VTY group tacacs+ if-authenticated none
  aaa authorization network VTY group tacacs+ if-authenticated none
  aaa accounting exec VTY start-stop group tacacs+
  aaa accounting commands 0 VTY start-stop group tacacs+
  aaa accounting commands 1 VTY start-stop group tacacs+
  aaa accounting commands 15 VTY start-stop group tacacs+
  aaa accounting network VTY start-stop group tacacs+
  aaa accounting connection VTY start-stop group tacacs+
  aaa session-id common
  ip http authentication aaa login-authentication VTY
  ip http authentication aaa exec-authorization VTY
  tacacs-server host 192.168.15.10 key 7 1446405858517C
  tacacs-server directed-request
  line con 0
  exec-timeout 0 0
  authorization exec notac
  accounting commands 0 VTY
  accounting commands 1 VTY
  accounting commands 15 VTY
  accounting exec VTY
  logging synchronous
  login authentication notac
  line aux 0
  session-timeout 35791
  exec-timeout 35791 23
  authorization exec notac
  accounting commands 0 VTY
  accounting commands 1 VTY
  accounting commands 15 VTY
  accounting exec VTY
  login authentication notac
  transport input all
  line vty 0
  exec-timeout 0 0
  authorization commands 0 VTY
  authorization commands 1 VTY
  authorization commands 15 VTY
  authorization exec VTY
  accounting commands 0 VTY
  accounting commands 1 VTY
  accounting commands 15 VTY
  accounting exec VTY
  login authentication VTY
  David
  CCIE Security

• Sending AAA accouting log records to multiple AAA servers

  IOS version c3640-a3jk9s-mz.123-18.bin
  aaa group server tacacs+ cciesec
  server 192.168.3.10
  aaa group server tacacs+ ccievoice
  server 192.168.3.11
  aaa authentication login VTY group cciesec local
  aaa accounting exec cciesec start-stop broadcast group cciesec group ccievoice
  aaa accounting commands 0 cciesec start-stop broadcast group cciesec group ccievoice
  aaa accounting commands 1 cciesec start-stop broadcast group cciesec group ccievoice
  aaa accounting commands 15 cciesec start-stop broadcast group cciesec group ccievoice
  tacacs-server host 192.168.3.10 key 123456
  tacacs-server host 192.168.3.11 key 123456
  C3640#sh tacacs
  Tacacs+ Server : 192.168.3.10/49
  Socket opens: 8
  Socket closes: 8
  Socket aborts: 0
  Socket errors: 0
  Socket Timeouts: 0
  Failed Connect Attempts: 0
  Total Packets Sent: 21
  Total Packets Recv: 21
  Tacacs+ Server : 192.168.3.11/49
  Socket opens: 0
  Socket closes: 0
  Socket aborts: 0
  Socket errors: 0
  Socket Timeouts: 0
  Failed Connect Attempts: 0
  Total Packets Sent: 0
  Total Packets Recv: 0
  C3640#
  As you can see, I can receive AAA accounting logs on server 192.168.3.10 but I am not getting logs on 192.168.3.11. I can confirm this with
  tcpdump on host 192.168.3.11 and that I am not seeing any sent AAA to host 192.168.3.11.
  Anyone know why?

  http://www.cisco.com/en/US/docs/ios/12_1t/12_1t1/feature/guide/dt_aaaba.html
  It stated the following:
  "Before the introduction of the AAA Broadcast Accounting feature, Cisco IOS AAA could send accounting information to only one server at a time. This feature allows accounting information to be sent to one or more AAA servers at the same time. Service providers are thus able to simultaneously send accounting information to their own private AAA servers and to the AAA servers of their end customers. This feature also provides redundant billing information for voice applications."

• Missing aaa accounting commands

  Hi,
  I might be being REALLY STUPID, but I am trying to config a 12.3 IOS router to send command accounting records to an ACS 3.3 server via RADIUS.
  When a input the 'aaa accounting commands 15 default group radius' command, it is accepted by the router, but show the config, and its not there. This is the same for all command levels. This router is logging VoIP accounting records too, to the same RADIUS box, without problems.
  Have I missed somthing about setting up AAA ?
  Grateful for any help!
  Thanks
  Pete Moore

  Even if IOS did support it, the format of any RADIUS cmd accounting will be inferior for a couple of reasons
  1) The ACS TACACS+ reports are totally geared up for this with pre-defined columns for each T+ attrbute.
  2) ACS has a dedicated cmd accounting report which splits out cmds from sessions
  3) To package in RADIUS, IOS would have to create many cisco-av-pair VSA instances. In the RADIUS accounting logs these will all be compressed into a single column of the format
  "attr1=value1;attr2=value2;..."
  Depending on what you want to do with the data this format is quite restrictive.
  My advice is to enable TACACS+
  Darran

• Enable aaa accounting commands for all privilege levels?

  Here is the command's syntax:
  aaa accounting {auth-proxy | system | network | exec | connection | commands level} {default | list-name} {start-stop | stop-only | none} [broadcast] group groupname
  The "command" accounting type must include the privilege level of the commands you are logging. How do I log ALL commands?
  Take the following example:
  aaa accounting commands 15 default start-stop group mygroup
  If I issue this command will that mean commands the user executes that have a privilege level lower than 15 will not be logged? Or only commands that require exactly privilege level 15 will be logged?
  How can I log all commands regardless of privilege level?

  Hi Red,
  If you customize the command privilege level using the privilege command, you can limit which commands the appliance accounts for by specifying a minimum privilege level. The security appliance does not account for commands that are below the minimum privilege level.
  The default privilege level is 0. So if you don't specify any privilege level then all should be accounted for.
  You can find the command detail at. This is for ASA though.
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/command/reference/cmd_ref/a1.html#wp1535253
  Regards,
  Kanwal
  Note: Please mark answers if they are helpful.

• AAA Accounting Commands

  I have just started logging AAA accounting commands on my ACS. I am able to view all commands entered without any trouble. I would like to NOT see commands entered from one particular source. I have an IDS device that shuns to a router. The shunning frequency causes the ACS TACACS+ admin report to become full and unusable. Any ideas on how to exempt commands issued by the IDS?
  I have considered setting up multiple vty line configurations. Set up a vty 0 0 and vty 1 4. Configure the vty 0 0 to use something other than the 'default' AAA group. This, of course, assumes that the IDS will always use vty 0 and everyone else will use vty 1 - 4.
  Thanks, Rick

  Give extraxi aaa-reports! a try (free trial version available)
  We offer loads of great canned reports for device admin.. and more importantly you can filter out stuff you dont want during import.
  Once the CSVs are imported we also have a visual query builder for drilling down into your data - with the results exportable to word/excel/html etc.
  Our csvsync utility can also harvest CSV logs from any number of ACS servers of any version and type (sw & appliance)
  We are a Cisco Technology Partner and aaa-reports! is tested "Cisco Compatible"
  Darran

• Question on AAA accounting command?

  Is AAA command “aaa accounting commands 15 default start-stop group” just for tacacs+ groups and not for radius?

  jjohnston1127 answered correctly. Command authorization and command accounting are only supported by the tacacs protocol.
  You will not even see an option for radius.
  jkatyel(config)#aaa accounting commands 15 default start-stop gr
  jkatyel(config)#aaa accounting commands 15 default start-stop group ?
    WORD     Server-group name
    tacacs+  Use list of all Tacacs+ hosts.
  Accounting supported by radius
  https://tools.ietf.org/html/rfc2866
  Regards,
  Jatin Katyal
  *Do rate helpful posts*

• Does "aaa accounting commands" not support radius?

  When I issue this command:
  aaa accounting commands 15 default start-stop group myradiusgroup
  I get this error: %AAAA-4-SERVNOTACPLUS: The server-group "myradiusgroup" is not a tacacs+ server group. Please define "myradiusgroup" as a tacacs+ server group.
  No where in the documentation could I find anything saying the "commmands" accounting type is only available to tacacs+. Does aaa not support this accounting type for radius?

  Hi Red,
  The Cisco implementation of RADIUS does not support command accounting. So that's the reason you are getting that error. Please use TACACS if you want to use this.
  Regards,
  Kanwal
  Note: Please mark answers if they are helpful.

• Aaa accounting commands levels

  Hello,
  I am confused on aaa accounting. If I wish to account all commands and the levels I have configured are say 5 and 15, do I need to include level 0 in my aaa accounting commands?

  Hello,
  By default on IOS devices we have three commands distributed over three privilege levels i.e.,
  Level 0
  Level 1, and
  Level 15.
  If you explicitly donot change the privilege level of command(s), then only commands that you require to enter in an IOS device to monitor all commands executed over device is:
  aaa accounting commands 0 default start-stop group tacacs+
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  I have defined TACACS+ as the as the accounting server, as it jells best for adminstrative purposes i.e. Shell Command authorization
  Let me know if this clarifies your doubt :)

• Aaa authorization commands for pix 535

  Hi ,
  Can you provide aaa authorization commands for pix 535
  Sanjay Nalawade.

  Hi,
  Please find the AAA config for PIX.
  aaa-server TACACS+ protocol tacacs+
  max-failed-attempts 5
  aaa-server TACACS+ (ExranetFW-In) host
  timeout 5
  key ********
  aaa authentication enable console TACACS+ LOCAL
  aaa authentication serial console TACACS+ LOCAL
  aaa authentication http console TACACS+ LOCAL
  aaa authentication ssh console TACACS+ LOCAL
  aaa authorization command LOCAL
  aaa accounting command privilege 15 TACACS+
  aaa authorization exec authentication-server
  Karuppuchamy

• AAA authorization commands

  Hi All
  Probably i am going to ask a stupid question but i am really confused regarding the purpose of "aaa authorization commands x default local" command. I understand that if this command is configured, it authorizes each and every command of that level but in my experience, this command is not doing anything. The outcome is same whether it is configured or not.
  Following is my aaa part config
  username cisco privilege 15 secret cisco 
  aaa new-model
  aaa authentication login default local enable
  aaa authorization exec default local if-authenticated
  aaa authorization commands 15 default local if-authenticated
  Now whether i keep the last command or remove it, username "cisco" is able to use every level 15 command so my question is, why i bother configuring this command?
  Would really appreciate your quick reply
  Regards

  Thanx a lot for your quick response. Really appreciate that.
  So does this mean, can i safely assume that if i am using local database then i don't require "aaa authorization command level" command??
  that is following should be the config
  username cisco privilege 15 secret cisco 
  aaa new-model
  aaa authentication login default local enable
  aaa authorization exec default local if-authenticated
  privilege exec level 15 show   (just an example)
  privilege exec level 15 debug
  I have tested this and it worked fine without using "aaa authorization command level"
  Moreover, regarding the use of AAA server, my eventual plan is to use TACACS+ but before that,  i wanted to get a good grip of AAA functionality and therefore started off with local user database.  
  So u mean to say, if i am using TACACS+ for authentication and authorization purposes and in ACS Server, user "cisco" has been assigned level 15 but with authorization set of "show" and "debug" only then by using "aaa authorization commands level" in a router, i can successfully restrict user "cisco" to "debug" and "show" only? In my point of view, i can achieve this anyway (restricting "cisco" user to only use "show and debug) without using "aaa authorization command level" (like i tested with local database)??
  will really appreciate your kind response

• Exclude specific user from aaa authorization commands

  Hi there,
  I am trying to find a solution to exclude specific users from being authorized (AAA command authorization) when entering commands on the switch/router.
  We use an AAA setup with Cisco ACS. On the devices we use:
  aaa authorization config-commands
  aaa authorization commands 1 default group tacacs+ local
  aaa authorization commands 5 default group tacacs+ local
  aaa authorization commands 15 default group tacacs+ local
  is it possible, to exclude an  user, say User1, from being command authorized?
  In other words, when User1 logs on the switch/router, the switch/router shouldn't check the ACS if User1 is authorized to use this command.
  We tried this with method lists in combination with ACL's on the VTY's:
  line VTY 0
  access-class 1 in
  line VTY 1
  access-class 2 in
  Let's say, User1 always logs in from a specific IP, which is mentioned in access-list 2, the switch would use the method mentioned within the line vty 1.
  But apparently, when a remote connection is being established, the switch/router uses the first VTY which is available, instead of watching which ACL can be matched to the source IP from the User.
  Does anyone have some tips/tricks how to handle this?
  Maybe a custom attribute from the ACS?
  Kind Regards

  If that user belongs to a unique group then you can write a policy where "if the user is in group x then return "access_reject" Or return "access_accept" but set the privilege level to "1" and block all commands. 
  Thank you for rating helpful posts!

• Aaa authorization command

  Hi!
  I have issued the aaa authorization command tacacs on my asa, but the ACS is not letting me do any command now. I'm trying to issue the no
  aaa authorization command tacacs, but it does not let me.
  How can i rollback??
  Please Help me
  Tkx
  Miguel

  What version of ACS are you running?
  If you are running acs 4.x then you will have to go to your group settings and under shell command authorization permit all commands, if you are using acs 5, you will have to go to your authorization policy, click customize if the command set column isnt active already and assign the command set to allow all commands. I think by default there should be a permit all.
  Thanks,
  Tarik

• Configuring aaa local command authorization

  i am a bit struggling with how to configure aaa local command authorization, i am not getting any material also for configuring it. Please tell me how to configure aaa local command authorization.. or possible give me some useful links for that..

  Hi,
  For aaa authorization command set.Kindly refer to link.
  http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_command_reference_chapter09186a00800ca5d4.html
  I hope this help.Please rate this post.
  cheers
  Sachin

• AAA issue ( command authorization failed)

  I am getting the issue, and following is the script , cannot find  and locate the cause of error !
  version 12.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname hexxor
  boot-start-marker
  boot-end-marker
  enable secret 5 $1$Y.Nt$aZ9/2rl2DMbEnSGJVqmln1
  enable password 7 0525112F05411F075231123E
  username hexxor password 7 024D2A103F26243363593D1C2B5C
  aaa new-model
  aaa authentication login T-AUTH group tacacs+ local
  aaa authorization console
  aaa authorization config-commands
  aaa authorization exec T-AUTHOR group tacacs+ if-authenticated
  aaa authorization commands 15 T-AUTHOR group tacacs+ if-authenticated
  aaa accounting exec T-ACC start-stop group tacacs+
  aaa accounting commands 15 T-ACC start-stop group tacacs+
  interface Vlan1
  no ip address
  interface Vlan50
  ip address 128.1.50.54 255.255.255.0
  no ip route-cache
  ip default-gateway 128.1.50.254
  no ip http server
  ip http secure-server
  ip sla enable reaction-alerts
  logging trap debugging
  logging 10.241.40.20
  logging 128.1.50.245
  access-list 1 permit 128.1.50.245
  snmp-server host 10.241.40.27 Armageddon
  snmp-server host 128.1.50.245 Armageddon
  tacacs-server host 10.241.40.22
  tacacs-server host 10.241.40.23
  tacacs-server directed-request
  tacacs-server key 7 020813480E052F2E4D
  line con 0
  exec-timeout 5 0
  password 7 1142374E2332201E2B3D1F210678
  authorization commands 15 T-AUTHOR
  authorization exec T-AUTHOR
  accounting commands 15 T-ACC
  accounting exec T-ACC
  login authentication T-AUTH
  transport preferred none
  line vty 0 4
  exec-timeout 5 0
  password 7 06281801684358174E231727
  authorization commands 15 T-AUTHOR
  authorization exec T-AUTHOR
  accounting commands 15 T-ACC
  accounting exec T-ACC
  login authentication T-AUTH
  transport input telnet
  transport output telnet
  line vty 5 15
  password 7 0228137B2F0B5E2F077A0C35
  end

  Based on what I think I understand in this reply it appears that the problem is caused in the named authorization method of T-AUTHOR. This named method sends an authorization request to the TACACS server. So it appears that the TACACS server is not authorizing the commands that you enter.
  I would suggest this as a first test:
  - login to the device.
  - go into enabl mode.
  - attempt the show run command. (I assume that it will fail)
  - check on the TACACS server. look in the logs for indications of how it processed the request and why it did not authorize it.
  If you want to do a second test to verify the cause of the problem then I would suggest this:
  - remove from the config these lines
  aaa authorization exec T-AUTHOR group tacacs+ if-authenticated
  aaa authorization commands 15 T-AUTHOR group tacacs+ if-authenticated
  then login to the device, go into enable mode, attempt the show run command
  Try one or both of these tests and post back to tell us of the results.
  HTH
  Rick