AAA Radius accounting command is not taking in 3750 switch

Similar Messages

• 3640 - AAA/AUTHOR: config command authorization not enabled

  Hello, I have a 3640 router with c3640-ik9o3sw6-mz.122-8.T.bin version but when I try to validate the username and password with a radius server, the debbug message is "AAA/AUTHOR: config command authorization not enabled" and I'm sure that the radius validates the user and the packet arrive to the router.
  I've tried to update the IOS with c3640-ik9o3s-mz.122-46a.bin and I can validate but I cannot use "crypto isakmp client configuration group mygroup" to configure Easy VPN server.
  I attach you the files with config and logs.
  Thanks you in advance.

  Yep! I'm really running 12.1!
  I'm receiving the message once i include "aaa authorization exec default group radius local if-authenticated" in the config.
  Login is successful, however authorization does not allow me to go directly into enable mode. If I take the aaa authorization line out I can login to user mode and then use the enable password to move forward but that is not what I wish to achieve.
  sh run | i aaa
  aaa new-model
  aaa authentication attempts login 5
  aaa authentication banner ^C
  aaa authentication fail-message ^C
  aaa authentication login My-RADIUS group radius local
  aaa accounting exec My-RADIUS start-stop group radius
  aaa session-id common
  Is there somewhere specific I was suppose to configure the aaa authorization enabled, because I'm not seeing it.
  Let me know what other thoughts you may have.
  Thanks
  Nik

• Account layout change not taking effect

  I copied the account default layout to my own, and tried to remove all the campaign info that
  won't be implemented. However, it still shows up even though I've attached the new layout to my profile.
  Is there something I'm missing?

  Maybe yor personal configuration is different and it takes the place of the default donfiguracion (the profile one).
  To view that navigate to My configuration / Personal Page Layout.
  Regards, Kim.

• ACL not working on 3750 Switch Stack on a trunk port

  I cannot figure out why the ACL is not working on a 3750 running 12.2 (55)SE on a trunk port.  For testing, there is 1 x IP (10.101.15.13) that should be denied to all VLANs on the trunk.  I have tried standard and extended list, but neither seem to work.
  What am I doing wrong?
  Access-List:
  Standard IP access list 10
      10 deny   10.101.15.13 log
      20 permit any log
  Access-List Interface:
  interface GigabitEthernet7/0/10
   description ESX Trunk
   switchport trunk encapsulation dot1q
   switchport trunk allowed vlan 1,2,60-63
   switchport mode trunk
   ip access-group 10 in
  Mac-Address on the Switch Port:
  63    0050.569a.6d9f    DYNAMIC     Gi7/0/10
  Windows Machine MAC:
  Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter #4
  Physical Address. . . . . . . . . : 00-50-56-9A-6D-9F
  Windows Connection (which should be denied):
   TCP    10.20.63.4:3389        10.101.15.13:21289     ESTABLISHED     InHost

  PACL only apply to an L2 interface.  On an L2 interface the only direction that can be applied is INBOUND.  On an L3 interface INBOUND or OUTBOUND can be specified.
  In any case, I have worked around the issue by applying VACLs. Marking this as resolved.

• Question about usage of aaa accounting commands

  Hi everyone,
  I have the problem that Cisco routers and switches do not send some accounting command
  information to ACS.
  Accounting commands do not send to ACS are "show log" and "show version".
  Accounting commands send to ACS are "show runn", "conf t" and "debug"
  The configuration of routers and switches is the following
  aaa new-model
  aaa authentication login default group tacacs+ line
  aaa authorization commands 15 default group tacacs+ none
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  tacacs-server host xxx.xxx.xxx.xxx key yyyy
  I think the commands do not send to ACS are privilege level 1 command and the commands
  send to ACS are privilege level 15 command.
  So I need to additional aaa accounting command below to get routers and switches send level 1
  command to ACS, because the "15" of "aaa accounting commands 15" does not include level 1
  so need to configure "aaa accounting commands 1" for level 1 commands.
  aaa accounting commands 1 default start-stop group tacacs+
  Is my understanding correct ?
  Your information would be greatly appreciated.
  Best regards,

  Hi,
  plese do this and the router will send
  everything to the ACS server, except
  whatever you are doing to the router in http:
  aaa new-model
  aaa authentication login notac none
  aaa authentication login VTY group tacacs+ local
  aaa authentication enable default group tacacs+ enable
  aaa authorization console
  aaa authorization config-commands
  aaa authorization exec notac none
  aaa authorization exec VTY group tacacs+ if-authenticated none
  aaa authorization commands 0 VTY group tacacs+ if-authenticated none
  aaa authorization commands 1 VTY group tacacs+ if-authenticated none
  aaa authorization commands 15 VTY group tacacs+ if-authenticated none
  aaa authorization network VTY group tacacs+ if-authenticated none
  aaa accounting exec VTY start-stop group tacacs+
  aaa accounting commands 0 VTY start-stop group tacacs+
  aaa accounting commands 1 VTY start-stop group tacacs+
  aaa accounting commands 15 VTY start-stop group tacacs+
  aaa accounting network VTY start-stop group tacacs+
  aaa accounting connection VTY start-stop group tacacs+
  aaa session-id common
  ip http authentication aaa login-authentication VTY
  ip http authentication aaa exec-authorization VTY
  tacacs-server host 192.168.15.10 key 7 1446405858517C
  tacacs-server directed-request
  line con 0
  exec-timeout 0 0
  authorization exec notac
  accounting commands 0 VTY
  accounting commands 1 VTY
  accounting commands 15 VTY
  accounting exec VTY
  logging synchronous
  login authentication notac
  line aux 0
  session-timeout 35791
  exec-timeout 35791 23
  authorization exec notac
  accounting commands 0 VTY
  accounting commands 1 VTY
  accounting commands 15 VTY
  accounting exec VTY
  login authentication notac
  transport input all
  line vty 0
  exec-timeout 0 0
  authorization commands 0 VTY
  authorization commands 1 VTY
  authorization commands 15 VTY
  authorization exec VTY
  accounting commands 0 VTY
  accounting commands 1 VTY
  accounting commands 15 VTY
  accounting exec VTY
  login authentication VTY
  David
  CCIE Security

• Does "aaa accounting commands" not support radius?

  When I issue this command:
  aaa accounting commands 15 default start-stop group myradiusgroup
  I get this error: %AAAA-4-SERVNOTACPLUS: The server-group "myradiusgroup" is not a tacacs+ server group. Please define "myradiusgroup" as a tacacs+ server group.
  No where in the documentation could I find anything saying the "commmands" accounting type is only available to tacacs+. Does aaa not support this accounting type for radius?

  Hi Red,
  The Cisco implementation of RADIUS does not support command accounting. So that's the reason you are getting that error. Please use TACACS if you want to use this.
  Regards,
  Kanwal
  Note: Please mark answers if they are helpful.

• Missing aaa accounting commands

  Hi,
  I might be being REALLY STUPID, but I am trying to config a 12.3 IOS router to send command accounting records to an ACS 3.3 server via RADIUS.
  When a input the 'aaa accounting commands 15 default group radius' command, it is accepted by the router, but show the config, and its not there. This is the same for all command levels. This router is logging VoIP accounting records too, to the same RADIUS box, without problems.
  Have I missed somthing about setting up AAA ?
  Grateful for any help!
  Thanks
  Pete Moore

  Even if IOS did support it, the format of any RADIUS cmd accounting will be inferior for a couple of reasons
  1) The ACS TACACS+ reports are totally geared up for this with pre-defined columns for each T+ attrbute.
  2) ACS has a dedicated cmd accounting report which splits out cmds from sessions
  3) To package in RADIUS, IOS would have to create many cisco-av-pair VSA instances. In the RADIUS accounting logs these will all be compressed into a single column of the format
  "attr1=value1;attr2=value2;..."
  Depending on what you want to do with the data this format is quite restrictive.
  My advice is to enable TACACS+
  Darran

• Question on AAA accounting command?

  Is AAA command “aaa accounting commands 15 default start-stop group” just for tacacs+ groups and not for radius?

  jjohnston1127 answered correctly. Command authorization and command accounting are only supported by the tacacs protocol.
  You will not even see an option for radius.
  jkatyel(config)#aaa accounting commands 15 default start-stop gr
  jkatyel(config)#aaa accounting commands 15 default start-stop group ?
    WORD     Server-group name
    tacacs+  Use list of all Tacacs+ hosts.
  Accounting supported by radius
  https://tools.ietf.org/html/rfc2866
  Regards,
  Jatin Katyal
  *Do rate helpful posts*

• Enable aaa accounting commands for all privilege levels?

  Here is the command's syntax:
  aaa accounting {auth-proxy | system | network | exec | connection | commands level} {default | list-name} {start-stop | stop-only | none} [broadcast] group groupname
  The "command" accounting type must include the privilege level of the commands you are logging. How do I log ALL commands?
  Take the following example:
  aaa accounting commands 15 default start-stop group mygroup
  If I issue this command will that mean commands the user executes that have a privilege level lower than 15 will not be logged? Or only commands that require exactly privilege level 15 will be logged?
  How can I log all commands regardless of privilege level?

  Hi Red,
  If you customize the command privilege level using the privilege command, you can limit which commands the appliance accounts for by specifying a minimum privilege level. The security appliance does not account for commands that are below the minimum privilege level.
  The default privilege level is 0. So if you don't specify any privilege level then all should be accounted for.
  You can find the command detail at. This is for ASA though.
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/command/reference/cmd_ref/a1.html#wp1535253
  Regards,
  Kanwal
  Note: Please mark answers if they are helpful.

• AAA Accounting Commands

  I have just started logging AAA accounting commands on my ACS. I am able to view all commands entered without any trouble. I would like to NOT see commands entered from one particular source. I have an IDS device that shuns to a router. The shunning frequency causes the ACS TACACS+ admin report to become full and unusable. Any ideas on how to exempt commands issued by the IDS?
  I have considered setting up multiple vty line configurations. Set up a vty 0 0 and vty 1 4. Configure the vty 0 0 to use something other than the 'default' AAA group. This, of course, assumes that the IDS will always use vty 0 and everyone else will use vty 1 - 4.
  Thanks, Rick

  Give extraxi aaa-reports! a try (free trial version available)
  We offer loads of great canned reports for device admin.. and more importantly you can filter out stuff you dont want during import.
  Once the CSVs are imported we also have a visual query builder for drilling down into your data - with the results exportable to word/excel/html etc.
  Our csvsync utility can also harvest CSV logs from any number of ACS servers of any version and type (sw & appliance)
  We are a Cisco Technology Partner and aaa-reports! is tested "Cisco Compatible"
  Darran

• Cant update apps. asks for password for another account i had on a dell notebook. either i forgot the pass word or its not taking it. i can download apps,music with present mac note book but not apps. how can i update apps on my mac and iphone 4?

  cant update apps on my mac or iphone4. asks for password for another account i had on a dell notebook. either i forgot the pass word or its not taking it  . i can download apps and music.  how can i update apps on my mac and iphone 4?

  I had the same problem today and was able to resolve it without having to do a restore or reset. The problem had something to do with my mail accounts. The upgrade reset my mail settings, switching both my gmail and my .mac mail to "archive all mail". I went into the General Settings, disabled that setting, and resynced the phone. The "other" storage allottment dropped back down to less than a gig.
  Before you restore or reset, I would try that first.

• Command link / button action is not taking place if i use it in iterator.

  Hi,
  I am new to ADF, i am facing 1 issue while implementing ADF mobile browser application.
  Issue: command link / button action is not taking place if i use it in iterator. its just refreshing the page it self and displaying as no records.
  Scenario is i am populating the search results in results page from search page using iterator, i want to get the complete details in different page (results page -> details page) .
  I have tried in different ways.like
  case1:
  <tr:panelGroupLayout id="pgl2" layout="vertical" styleClass="af_m_panelBase">
  <tr:panelHeader text="#{classviewBundle.SEARCH_RESULTS}" id="ph1"/>
  <tr:iterator id="i1" value="#{bindings.SubjectVO1.collectionModel}" var="subject"
  varStatus="subIndx" rows="100">
  <tr:panelBox text="#{subject.Subject} #{subject.CatalogNbr} - #{subject.CourseTitleLong}"
  styleClass="af_m_listingPrimaryDetails" id="pb1">
  <f:facet name="toolbar"/>
  <tr:table var="ssrClass" rowBandingInterval="1" id="t1" value="#{subject.children}"
  varStatus="clsIndx" rowSelection="none"
  binding="#{SessionBean.subjectTable}" verticalGridVisible="true"
  emptyText="No Records" width="100%">
  <tr:column id="c9" sortable="false" styleClass="width:100%">
  <*tr:commandLink text="Section: #{ssrClass.ClassSection}-#{ssrClass.SsrComponentLovDescr} (#{ssrClass.ClassNbr})"*
  id="commandLink2" styleClass="af_m_listingLink"
  *action="#{pageFlowScope.BackingBean.searchaction}"></tr:commandLink>*
  //remaining code
  in this case commandlink action is not able to invoke serachaction() method
  case 2:
  <tr:commandLink text="Section: #{ssrClass.ClassSection}-#{ssrClass.SsrComponentLovDescr} (#{ssrClass.ClassNbr})"
  id="commandLink2" styleClass="af_m_listingLink"
  action="classdetails}"></tr:commandLink>
  in this case its not able to navigate to classdetails page.
  I gave correct navigation cases and rules in taskflow,but its working fine when the command link is out of iterator only.
  i tried with actionlistener too.. but no use.. please help me out of this problem .
  *Update to issue:*
  The actual issue is when i use command link/button in an table/iterator whose parent tag is another iterator then the action is not taking place.
  the structer of my code is
  < iterator1>
  #command link action1
  < iterator2>
  #command link action2
  </ iterator2>
  < /iterator1>
  #command link action1 is working but "#command link action2" is not...
  Thanks
  Shyam
  Edited by: shyam on Dec 26, 2011 5:40 PM

  Hi,
  To solve my problem I used a af:foreach instead.
  <af:forEach items="#{viewScope.DataBySubjectServiceBean.toArray}" var="text">
  <af:commandLink text="#{text.IndTextEn}" action="indicator-selected" id="cl1">
  <af:setActionListener from="#{text.IndCode}" to="#{pageFlowScope.IndicatorCodeParam}" />
  </af:commandLink>
  </af:forEach>
  By the way you need to convert the iterator to an Array using a ManagedBean.
  public Object[] toArray() {
  CollectionModel cm = (CollectionModel) getEL("#{bindings.TView1.collectionModel}");
  indicators = new Object[cm.getRowCount()];
  for(int i=0;i<cm.getRowCount();i++){
  indicators[i] = cm.getRowData(i);
  return indicators;
  public static Object getEL(String expr) {
  FacesContext fc = FacesContext.getCurrentInstance();
  return fc.getApplication().evaluateExpressionGet(fc,expr,Object.class);
  Hope that helps-
  Edited by: JuJuZ on Jan 3, 2012 12:23 AM
  Add getEL Method

• Planned orders are not taking into account the processing time

  Hi,
  Could you please tell me why planned orders quantities are not based on processing time from the material master.
  Materials was set before with 1 day in house production , no matter of lot size.
  Based on routings I updated material master with processing time depending on lot size.
  What is bottering me now is that planned orders are not taking into account processing time. (e.g.  based on my processing time 1000 pce are produced  in 3 days, but planned orders show me that 1000 pce are still need  in 1 day , but it  can not be produced in 1 day   ).
  what did I miss?
  Thanks a lot for any information!

  Hello Simona
  The in house production time from tab MRP 2 is lot size independent.
  However, on tab work scheduling you can define a lot size dependent times.
  Please observe that, if you have entered an in house production time, the processing time will not be considered. The F1 help of the field provides the following explanation:
  You can define work scheduling times in the material master record in one of two ways:
  Either you enter the in-house production time. If required, you can get the system to update this value from the routing.
  Or you enter the setup, teardown, processing, and interoperation times. If you maintain these values, the system determines the in-house production time on the basis of lot size.
  Therefore, if you want to consider the processing time, you should remove the in house processing time.
  BR
  Caetano

• [svn:osmf:] 12641: Improvements to the DFXP parser, captioning sample, and a bug fix for the TemporalFacet ( duration timers were not taking account of the media being paused).

  Revision: 12641
  Revision: 12641
  Author:   [email protected]
  Date:     2009-12-07 21:10:00 -0800 (Mon, 07 Dec 2009)
  Log Message:
  Improvements to the DFXP parser, captioning sample, and a bug fix for the TemporalFacet (duration timers were not taking account of the media being paused).
  Modified Paths:
      osmf/trunk/apps/samples/plugins/CaptioningSample/src/CaptioningSample.css
      osmf/trunk/framework/MediaFramework/org/osmf/metadata/TemporalFacet.as
      osmf/trunk/plugins/CaptioningPlugin/org/osmf/captioning/parsers/DFXPParser.as

• Finder not taking into account local backups when reporting free disk space

  Time Machine in Lion (10.7.2) stores local backups of files on your laptop's hard drive when it is not connected to an external Time Machine backup drive. See this article for more information.
  If you click on the Apple in the top-left corner of your screen and choose About This Mac > More Info > Storage, you will see exactly how much space your local "Backups" are taking (along with other useful info about how your hard drive space is being used).
  Interestingly, the amount of free HD space listed there differes from the amount of free space Finder says is available (when you choose View > Show Status Bar to display it). The amount that it differs is exactly the same as the amount of the local "Backups." So, it appears that Finder is not taking those local Backus into account when it displays free disk space.
  So, Finder is telling me I have almost 100 gigs MORE free space than I actually have. I would prefer Finder to show me how much space I have AFTER the local Backups are taken into account.

  The article that you linked to gives the rationale for this:
  Note: You may notice a difference in available space statistics between Disk Utility, Finder, and Get Info inspectors. This is expected and can be safely ignored. The Finder displays the available space on the disk without accounting for the local snapshots, because local snapshots will surrender their disk space if needed.