AAA Radius accounting command is not taking in 3750 switch
Hi Cisco Support community,
I am facing a issue with radius accounting in Cisco 3750 switch with version 12.2. I am unable to start accounting for radius server.
This is the config that is on the switch for Radius.
aaa authentication login default group radius local
aaa authentication dot1x default group radius
aaa authorization exec my-authradius group radius if-authenticated.
radius-server attribute 6 on-for-login-auth
radius-server dead-criteria time 20 tries 5
radius-server host 10.100.1.225 auth-port 1645 acct-port 1646 key 7 14341A5801103F3904266021
radius-server host 10.100.1.226 auth-port 1645 acct-port 1646 key 7 05280E5C2C585B1B390B4406
When i try to add the following command for accounting, this is not saving.
(aaa accounting commands 0 default start-stop group radius
aaa accounting commands 1 default start-stop group radius
aaa accounting commands 15 default start-stop group radius)
If i do paste this command one by one after start-stop group it is showing only two options either tacacs+ or server, no radius option is there as well.
I tried to create a server group and add the radius server in the group. Even then when i am trying to implement the aaa accounting command with the server command it is not showing in show run.
Can anyone please help me with this issue.
Hi,
thanks for your reply but the thing is that i want to see the command that are being run by a user on this particular device. If i use the network command it will only show me the network-related service requests, including Serial Line Internet Protocol (SLIP), PPP, PPP Network Control Protocols (NCPs), and AppleTalk Remote Access Protocol (ARAP).
I have read the document from this link and it is stating that we can use command accounting. Below is the link
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a1.html.
Can anyone please tell me if this a version issue because even in version 15.4 i was not seeing the radius option in the end
aaa accounting commands 15 default start-stop group (radius)- in radius place it was showing only Tacacs+ or group.
Similar Messages
-
3640 - AAA/AUTHOR: config command authorization not enabled
Hello, I have a 3640 router with c3640-ik9o3sw6-mz.122-8.T.bin version but when I try to validate the username and password with a radius server, the debbug message is "AAA/AUTHOR: config command authorization not enabled" and I'm sure that the radius validates the user and the packet arrive to the router.
I've tried to update the IOS with c3640-ik9o3s-mz.122-46a.bin and I can validate but I cannot use "crypto isakmp client configuration group mygroup" to configure Easy VPN server.
I attach you the files with config and logs.
Thanks you in advance.Yep! I'm really running 12.1!
I'm receiving the message once i include "aaa authorization exec default group radius local if-authenticated" in the config.
Login is successful, however authorization does not allow me to go directly into enable mode. If I take the aaa authorization line out I can login to user mode and then use the enable password to move forward but that is not what I wish to achieve.
sh run | i aaa
aaa new-model
aaa authentication attempts login 5
aaa authentication banner ^C
aaa authentication fail-message ^C
aaa authentication login My-RADIUS group radius local
aaa accounting exec My-RADIUS start-stop group radius
aaa session-id common
Is there somewhere specific I was suppose to configure the aaa authorization enabled, because I'm not seeing it.
Let me know what other thoughts you may have.
Thanks
Nik -
Account layout change not taking effect
I copied the account default layout to my own, and tried to remove all the campaign info that
won't be implemented. However, it still shows up even though I've attached the new layout to my profile.
Is there something I'm missing?Maybe yor personal configuration is different and it takes the place of the default donfiguracion (the profile one).
To view that navigate to My configuration / Personal Page Layout.
Regards, Kim. -
ACL not working on 3750 Switch Stack on a trunk port
I cannot figure out why the ACL is not working on a 3750 running 12.2 (55)SE on a trunk port. For testing, there is 1 x IP (10.101.15.13) that should be denied to all VLANs on the trunk. I have tried standard and extended list, but neither seem to work.
What am I doing wrong?
Access-List:
Standard IP access list 10
10 deny 10.101.15.13 log
20 permit any log
Access-List Interface:
interface GigabitEthernet7/0/10
description ESX Trunk
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2,60-63
switchport mode trunk
ip access-group 10 in
Mac-Address on the Switch Port:
63 0050.569a.6d9f DYNAMIC Gi7/0/10
Windows Machine MAC:
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter #4
Physical Address. . . . . . . . . : 00-50-56-9A-6D-9F
Windows Connection (which should be denied):
TCP 10.20.63.4:3389 10.101.15.13:21289 ESTABLISHED InHostPACL only apply to an L2 interface. On an L2 interface the only direction that can be applied is INBOUND. On an L3 interface INBOUND or OUTBOUND can be specified.
In any case, I have worked around the issue by applying VACLs. Marking this as resolved. -
Question about usage of aaa accounting commands
Hi everyone,
I have the problem that Cisco routers and switches do not send some accounting command
information to ACS.
Accounting commands do not send to ACS are "show log" and "show version".
Accounting commands send to ACS are "show runn", "conf t" and "debug"
The configuration of routers and switches is the following
aaa new-model
aaa authentication login default group tacacs+ line
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
tacacs-server host xxx.xxx.xxx.xxx key yyyy
I think the commands do not send to ACS are privilege level 1 command and the commands
send to ACS are privilege level 15 command.
So I need to additional aaa accounting command below to get routers and switches send level 1
command to ACS, because the "15" of "aaa accounting commands 15" does not include level 1
so need to configure "aaa accounting commands 1" for level 1 commands.
aaa accounting commands 1 default start-stop group tacacs+
Is my understanding correct ?
Your information would be greatly appreciated.
Best regards,Hi,
plese do this and the router will send
everything to the ACS server, except
whatever you are doing to the router in http:
aaa new-model
aaa authentication login notac none
aaa authentication login VTY group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec notac none
aaa authorization exec VTY group tacacs+ if-authenticated none
aaa authorization commands 0 VTY group tacacs+ if-authenticated none
aaa authorization commands 1 VTY group tacacs+ if-authenticated none
aaa authorization commands 15 VTY group tacacs+ if-authenticated none
aaa authorization network VTY group tacacs+ if-authenticated none
aaa accounting exec VTY start-stop group tacacs+
aaa accounting commands 0 VTY start-stop group tacacs+
aaa accounting commands 1 VTY start-stop group tacacs+
aaa accounting commands 15 VTY start-stop group tacacs+
aaa accounting network VTY start-stop group tacacs+
aaa accounting connection VTY start-stop group tacacs+
aaa session-id common
ip http authentication aaa login-authentication VTY
ip http authentication aaa exec-authorization VTY
tacacs-server host 192.168.15.10 key 7 1446405858517C
tacacs-server directed-request
line con 0
exec-timeout 0 0
authorization exec notac
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
logging synchronous
login authentication notac
line aux 0
session-timeout 35791
exec-timeout 35791 23
authorization exec notac
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
login authentication notac
transport input all
line vty 0
exec-timeout 0 0
authorization commands 0 VTY
authorization commands 1 VTY
authorization commands 15 VTY
authorization exec VTY
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
login authentication VTY
David
CCIE Security -
Does "aaa accounting commands" not support radius?
When I issue this command:
aaa accounting commands 15 default start-stop group myradiusgroup
I get this error: %AAAA-4-SERVNOTACPLUS: The server-group "myradiusgroup" is not a tacacs+ server group. Please define "myradiusgroup" as a tacacs+ server group.
No where in the documentation could I find anything saying the "commmands" accounting type is only available to tacacs+. Does aaa not support this accounting type for radius?Hi Red,
The Cisco implementation of RADIUS does not support command accounting. So that's the reason you are getting that error. Please use TACACS if you want to use this.
Regards,
Kanwal
Note: Please mark answers if they are helpful. -
Missing aaa accounting commands
Hi,
I might be being REALLY STUPID, but I am trying to config a 12.3 IOS router to send command accounting records to an ACS 3.3 server via RADIUS.
When a input the 'aaa accounting commands 15 default group radius' command, it is accepted by the router, but show the config, and its not there. This is the same for all command levels. This router is logging VoIP accounting records too, to the same RADIUS box, without problems.
Have I missed somthing about setting up AAA ?
Grateful for any help!
Thanks
Pete MooreEven if IOS did support it, the format of any RADIUS cmd accounting will be inferior for a couple of reasons
1) The ACS TACACS+ reports are totally geared up for this with pre-defined columns for each T+ attrbute.
2) ACS has a dedicated cmd accounting report which splits out cmds from sessions
3) To package in RADIUS, IOS would have to create many cisco-av-pair VSA instances. In the RADIUS accounting logs these will all be compressed into a single column of the format
"attr1=value1;attr2=value2;..."
Depending on what you want to do with the data this format is quite restrictive.
My advice is to enable TACACS+
Darran -
Question on AAA accounting command?
Is AAA command “aaa accounting commands 15 default start-stop group” just for tacacs+ groups and not for radius?
jjohnston1127 answered correctly. Command authorization and command accounting are only supported by the tacacs protocol.
You will not even see an option for radius.
jkatyel(config)#aaa accounting commands 15 default start-stop gr
jkatyel(config)#aaa accounting commands 15 default start-stop group ?
WORD Server-group name
tacacs+ Use list of all Tacacs+ hosts.
Accounting supported by radius
https://tools.ietf.org/html/rfc2866
Regards,
Jatin Katyal
*Do rate helpful posts* -
Enable aaa accounting commands for all privilege levels?
Here is the command's syntax:
aaa accounting {auth-proxy | system | network | exec | connection | commands level} {default | list-name} {start-stop | stop-only | none} [broadcast] group groupname
The "command" accounting type must include the privilege level of the commands you are logging. How do I log ALL commands?
Take the following example:
aaa accounting commands 15 default start-stop group mygroup
If I issue this command will that mean commands the user executes that have a privilege level lower than 15 will not be logged? Or only commands that require exactly privilege level 15 will be logged?
How can I log all commands regardless of privilege level?Hi Red,
If you customize the command privilege level using the privilege command, you can limit which commands the appliance accounts for by specifying a minimum privilege level. The security appliance does not account for commands that are below the minimum privilege level.
The default privilege level is 0. So if you don't specify any privilege level then all should be accounted for.
You can find the command detail at. This is for ASA though.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/command/reference/cmd_ref/a1.html#wp1535253
Regards,
Kanwal
Note: Please mark answers if they are helpful. -
I have just started logging AAA accounting commands on my ACS. I am able to view all commands entered without any trouble. I would like to NOT see commands entered from one particular source. I have an IDS device that shuns to a router. The shunning frequency causes the ACS TACACS+ admin report to become full and unusable. Any ideas on how to exempt commands issued by the IDS?
I have considered setting up multiple vty line configurations. Set up a vty 0 0 and vty 1 4. Configure the vty 0 0 to use something other than the 'default' AAA group. This, of course, assumes that the IDS will always use vty 0 and everyone else will use vty 1 - 4.
Thanks, RickGive extraxi aaa-reports! a try (free trial version available)
We offer loads of great canned reports for device admin.. and more importantly you can filter out stuff you dont want during import.
Once the CSVs are imported we also have a visual query builder for drilling down into your data - with the results exportable to word/excel/html etc.
Our csvsync utility can also harvest CSV logs from any number of ACS servers of any version and type (sw & appliance)
We are a Cisco Technology Partner and aaa-reports! is tested "Cisco Compatible"
Darran -
cant update apps on my mac or iphone4. asks for password for another account i had on a dell notebook. either i forgot the pass word or its not taking it . i can download apps and music. how can i update apps on my mac and iphone 4?
I had the same problem today and was able to resolve it without having to do a restore or reset. The problem had something to do with my mail accounts. The upgrade reset my mail settings, switching both my gmail and my .mac mail to "archive all mail". I went into the General Settings, disabled that setting, and resynced the phone. The "other" storage allottment dropped back down to less than a gig.
Before you restore or reset, I would try that first. -
Command link / button action is not taking place if i use it in iterator.
Hi,
I am new to ADF, i am facing 1 issue while implementing ADF mobile browser application.
Issue: command link / button action is not taking place if i use it in iterator. its just refreshing the page it self and displaying as no records.
Scenario is i am populating the search results in results page from search page using iterator, i want to get the complete details in different page (results page -> details page) .
I have tried in different ways.like
case1:
<tr:panelGroupLayout id="pgl2" layout="vertical" styleClass="af_m_panelBase">
<tr:panelHeader text="#{classviewBundle.SEARCH_RESULTS}" id="ph1"/>
<tr:iterator id="i1" value="#{bindings.SubjectVO1.collectionModel}" var="subject"
varStatus="subIndx" rows="100">
<tr:panelBox text="#{subject.Subject} #{subject.CatalogNbr} - #{subject.CourseTitleLong}"
styleClass="af_m_listingPrimaryDetails" id="pb1">
<f:facet name="toolbar"/>
<tr:table var="ssrClass" rowBandingInterval="1" id="t1" value="#{subject.children}"
varStatus="clsIndx" rowSelection="none"
binding="#{SessionBean.subjectTable}" verticalGridVisible="true"
emptyText="No Records" width="100%">
<tr:column id="c9" sortable="false" styleClass="width:100%">
<*tr:commandLink text="Section: #{ssrClass.ClassSection}-#{ssrClass.SsrComponentLovDescr} (#{ssrClass.ClassNbr})"*
id="commandLink2" styleClass="af_m_listingLink"
*action="#{pageFlowScope.BackingBean.searchaction}"></tr:commandLink>*
//remaining code
in this case commandlink action is not able to invoke serachaction() method
case 2:
<tr:commandLink text="Section: #{ssrClass.ClassSection}-#{ssrClass.SsrComponentLovDescr} (#{ssrClass.ClassNbr})"
id="commandLink2" styleClass="af_m_listingLink"
action="classdetails}"></tr:commandLink>
in this case its not able to navigate to classdetails page.
I gave correct navigation cases and rules in taskflow,but its working fine when the command link is out of iterator only.
i tried with actionlistener too.. but no use.. please help me out of this problem .
*Update to issue:*
The actual issue is when i use command link/button in an table/iterator whose parent tag is another iterator then the action is not taking place.
the structer of my code is
< iterator1>
#command link action1
< iterator2>
#command link action2
</ iterator2>
< /iterator1>
#command link action1 is working but "#command link action2" is not...
Thanks
Shyam
Edited by: shyam on Dec 26, 2011 5:40 PMHi,
To solve my problem I used a af:foreach instead.
<af:forEach items="#{viewScope.DataBySubjectServiceBean.toArray}" var="text">
<af:commandLink text="#{text.IndTextEn}" action="indicator-selected" id="cl1">
<af:setActionListener from="#{text.IndCode}" to="#{pageFlowScope.IndicatorCodeParam}" />
</af:commandLink>
</af:forEach>
By the way you need to convert the iterator to an Array using a ManagedBean.
public Object[] toArray() {
CollectionModel cm = (CollectionModel) getEL("#{bindings.TView1.collectionModel}");
indicators = new Object[cm.getRowCount()];
for(int i=0;i<cm.getRowCount();i++){
indicators[i] = cm.getRowData(i);
return indicators;
public static Object getEL(String expr) {
FacesContext fc = FacesContext.getCurrentInstance();
return fc.getApplication().evaluateExpressionGet(fc,expr,Object.class);
Hope that helps-
Edited by: JuJuZ on Jan 3, 2012 12:23 AM
Add getEL Method -
Planned orders are not taking into account the processing time
Hi,
Could you please tell me why planned orders quantities are not based on processing time from the material master.
Materials was set before with 1 day in house production , no matter of lot size.
Based on routings I updated material master with processing time depending on lot size.
What is bottering me now is that planned orders are not taking into account processing time. (e.g. based on my processing time 1000 pce are produced in 3 days, but planned orders show me that 1000 pce are still need in 1 day , but it can not be produced in 1 day ).
what did I miss?
Thanks a lot for any information!Hello Simona
The in house production time from tab MRP 2 is lot size independent.
However, on tab work scheduling you can define a lot size dependent times.
Please observe that, if you have entered an in house production time, the processing time will not be considered. The F1 help of the field provides the following explanation:
You can define work scheduling times in the material master record in one of two ways:
Either you enter the in-house production time. If required, you can get the system to update this value from the routing.
Or you enter the setup, teardown, processing, and interoperation times. If you maintain these values, the system determines the in-house production time on the basis of lot size.
Therefore, if you want to consider the processing time, you should remove the in house processing time.
BR
Caetano -
Revision: 12641
Revision: 12641
Author: [email protected]
Date: 2009-12-07 21:10:00 -0800 (Mon, 07 Dec 2009)
Log Message:
Improvements to the DFXP parser, captioning sample, and a bug fix for the TemporalFacet (duration timers were not taking account of the media being paused).
Modified Paths:
osmf/trunk/apps/samples/plugins/CaptioningSample/src/CaptioningSample.css
osmf/trunk/framework/MediaFramework/org/osmf/metadata/TemporalFacet.as
osmf/trunk/plugins/CaptioningPlugin/org/osmf/captioning/parsers/DFXPParser.as -
Finder not taking into account local backups when reporting free disk space
Time Machine in Lion (10.7.2) stores local backups of files on your laptop's hard drive when it is not connected to an external Time Machine backup drive. See this article for more information.
If you click on the Apple in the top-left corner of your screen and choose About This Mac > More Info > Storage, you will see exactly how much space your local "Backups" are taking (along with other useful info about how your hard drive space is being used).
Interestingly, the amount of free HD space listed there differes from the amount of free space Finder says is available (when you choose View > Show Status Bar to display it). The amount that it differs is exactly the same as the amount of the local "Backups." So, it appears that Finder is not taking those local Backus into account when it displays free disk space.
So, Finder is telling me I have almost 100 gigs MORE free space than I actually have. I would prefer Finder to show me how much space I have AFTER the local Backups are taken into account.The article that you linked to gives the rationale for this:
Note: You may notice a difference in available space statistics between Disk Utility, Finder, and Get Info inspectors. This is expected and can be safely ignored. The Finder displays the available space on the disk without accounting for the local snapshots, because local snapshots will surrender their disk space if needed.
Maybe you are looking for
-
Macbook drops connection to AEBS
Hello everyone, Came across this scenario and need advice. I scoured this and many other forums for solutions to this specific issue and didn't see any similar posts, close ones included things I had already tried. Hoping someone may have run into th
-
Warning message in 'Writeback Report'
Hi, I have to enable writeback on a report and to prompt a warning message to user before submitting the changes. I am fine with enabling the writeback on the report and update the changes through writeback XML. But, I am not sure of this 'Warning Me
-
"The iPod **** cannot be updated. The required file cannot be found" Error
Hello, Upon doing a 'zero-all bits' reformatting of my 5G iPod with Disk Utility and using the 'Restore' feature in iTunes 7, every time I sync my iPod with iTunes, I get an error message after the sync in the form of "The iPod ** cannot be updated.
-
Hi All I would like to ask to help me with very strange problem, I tried to google it but no success. When I use Importa Manager (ver 7,1 SP5) to import ~ 150 records there is a problem. I choose to upload all record to create, but only one is create
-
Can another user post messages using my id and password
How can I check whether messages sent using my Log in account and password were Posted from another machine?