Aaa-reports! v2.1 supports TACACS+ Device Admin Audit Reporting

Similar Messages

• Default Device Admin (Tacacs+)

  ACS 5.1
  Default Device Admin
  Identity:
  Single Result (internal list and AD1)
  Group Mapping:
  Rule1:(anyone in AD/Administrators=Group/AdminGroup)
  Default: Standard user
  Authorization:
  Rule1: (anyone in Group/AdminGroup, permit all commands)
  Default: Deny All Commands
  Here's my situation:
  User1 (AD/Administrator)
  UserBob (NOT in AD/Administrator)
  User1 Logs into a switch, types "enable" is asked to authenticate again, and can then run all commands (this is what i'm looking for, though i dislike the second login)
  UserBob Logs into a switch, types "enable" is asked to authenticate again, but gets error "% Error in Authentication" (i do not want UserBob to even be able to log into the switch to begin with)
  So my question is:
  How do i keep UserBob from being able to log into the switch?
  How do I get User1 to enter level 15 (Switch# instead of Switch>) automatically without being prompted to enter their password a second time after typing "enable"?
  As i understand it, "Default Device Admin" is different than "Default Network Access" which i liken to "logging into switches" vs. "authenticating against VPN server or Wireless" respectively.  So i should be able to restrict users from logging into switches, but still allow them to authenticate for access to things like VPN, so i don't think what i'm asking above will keep me from being able to do that.
  Ideas?

  Hello
  Q1 : How do i keep UserBob from being able to log into the switch?
       Configure NAR [network access restriction] and restrict the user to "not-to" access switch.
  Q2 : How do I get User1 to enter level 15 (Switch# instead of Switch>)  automatically without being prompted to enter their password a second  time after typing "enable"?
       You need to configure exec authorization on switch and push "privlege level = 15" to make User1 fall on switch# mode.
  The command on switch will be :
       aaa authorization exec default group tacacs local
  Let me know if it helps.
  thanks
  Devashree

• How to survive an ACS audit with aaa-reports!

  For many organisations the Cisco Secure ACS server is the guardian of the network - controlling administrative access to routers and switches plus overseeing end network users over VPN, wireless and firewall.
  Its no surprise therefore that it should come under intense scrutiny during an audit. Perhaps what is surprising is the lack on awareness over best practice for running ACS in a secure way. We'd like to help in our small way and below is a list of tips we've picked up over the years of providing reporting services for ACS.
  Buy aaa-reports! Of course we would say that... But without the ability to aggregate the logs from all your ACS servers and report on the data, or use our query builder for forensic analysis, or import the ACS database to document the policy features enabled.... you'll have a hard time getting the evidence that an auditor might ask for.
  Make sure ACS is logging the appropriate attributes for the reports you need to create. For example if you need to document who did what to devices in specific Network Device Groups (NDG) you must ensure this value actually gets logged. Performing ACS upgrades often sets logging configs back to their defaults.
  Create a build specification for your ACS. Detail the "meta config" of your ACS so that after an emergency hardware swap-out or software upgrade you can quickly check that the ACS has the correct configuration. The build spec document should be under version control and is a useful item in itself to convince an auditor your system is well controlled.
  Create a Change Control system for config changes on the ACS. Since its ACS that decides who gets access and what commands they run on your network its vital you report on the Administration Audit logs. During an audit you can then correlate entries in your change control system with actual edits recorded in the Admin Audit logs. aaa-reports! can document what all or individual ACS admins did in detail.
  Retain 2 years of actual CSV log data on your reporting server. For general day-to-day reporting you dont need this amount, but during an audit you may be required to show what happened on a specific historic date. aaa-reports! multi-db feature will allow you to create a specific back-end database just for this task and import logs from the required time period. Alternatively use the aaa-reports! snapshot feature to regularly save its database state, for example quarterly. You may then connect aaa-reports! to any of the historic snapshot databases to report on the data from that quarter.
  Regularly export the ACS database into aaa-reports! If you are running reports against log data from 2 years ago you also need to know what was in the ACS database at the same time - using a more recent ACS database might yield unexpected results because the configuration is likely to changed in the meantime. Usecsvsync to regularly grab the ACS database and keep them alongside the retained CSV logs for future reference.
  Review the quality of ACS log data. From time to time its worth taking a look at the quality of the data getting logged. We often find customers with rogue scripts being automated on devices that cause the ACS Failed Attempts logs to become full of many MBs of "junk data" - essentially one failed attempt for each line of the script. If left to continue for months the real data starts to become more difficult to find.
  In terms of specific questions that an audit will concentrate on, typically it will revolve around demonstrating that not only is there specific and adequate policy to control access to those parts of the network require it, but also to seek evidence that those policies are in fact working. In aaa-reports! we added a whole set of reports for TACACS+ Device Administration (TDA) that attempt to document the ACS policy configuration, answer questions such as "who can/cannot access devices and once connected what can they do?" and finally report on what did actually happen.
  Below are some additional TDA specific tips:
  Ensure services such as shell/exec are only enabled for ACS groups that really need it. The aaa-reports! TDA Group Summary report will list every ACS group and what TDA features are enabled. The TDA Group Detailreport can be used to inspect the policy in detail.
  Check for user-level ovverides. In general users should always inherit policy from their group unless there is good reason. The aaa-reports! TDA User Summary report list users with group overriden configuration. The TDA User Detail report can be used to inspect what policy items are specific to the user.
  Use Network Access Restrictions (NAR) to prevent login by unauthorised personnel. The first line of defence is to only allow device admin users access to routers and switches. We find some customers rely purely on command authorisation - this potentially lets anyone access the device who can authenticate. Imagine the scenario where ACS has "unknown authentication" enabled pointing at your Windows AD then answer "Who has access?". aaa-reports! can report group-by-group on device access controlled by NARs and therefore answer "Who has access to device XYZ?"
  Use Device Command Sets (DCS) for command authorisation. Create a set of re-usable DCSs with meaningful names in preference to simple group-level command authorisations. ACS administration is simplified and the auditor should understand what the intent of the policy is by its name. aaa-reports! can document the both the content of each DCS and the group assignments, thereby answering the question "What commands can user X execute on device XYZ?"
  Seek out and remove old ACS user accounts. aaa-reports! can report on inactive users both from examination of accounting logs and (if password aging is enabled) from the imported ACS database itself.
  Learn how to use the aaa-reports! Query Builder. Despite the comprehensive set of pre-built canned reports, during an audit you are likely to be asked questions about a specific date, user or device. Knowing how to use the QB to build filter/sort and group/totalling queries will get the answers quickly. Take the random question "How many sessions did user X have on devices A, B and C on this date?" The aaa-reports! QB can easily create custom reports that filter on any number of attribute values, group by multiple columns and have calculated fields such as sum, count, average etc. If you have a working knowledge of Visual Basic 6 (VB6) its also possible to use a rich array of formatting and other VB6 functions to create additional fields.
  The above list is of course by no means definitive as every customer will have their own specific needs from ACS and face different levels of compliance. Undergoing an audit is never easy, but at least with the right tools it doesnt have to be awful!
  For more infomation on extraxi aaa-reports! or to download our free 60 day trial version please visit http://www.extraxi.com/audit.htm

  .

• Aaa-reports! enterprise v1.2 - audit solutions for Cisco Secure ACS

  Extraxi is pleased to announce the latest version of its flagship reporting package - aaa-reports! enterprise v1.2
  The next release of aaa-reports! enterprise has just been made - mainly concentrating on new reports and datasets including:
  Single TACACS+ command authorisations. Shows both permitted and denied commands by combining log entries from Failed Attempts and T+ Device Administration logs
  RADIUS and TACACS session reports. These provide single row per session with all relevant data.
  RADIUS identity networking reports. The dataset used by the RADIUS session report is key for auditing identity network environments allowing for a username to be tied to a client side MAC address/IP Address or telephone number, assigned IP address etc. Using the point and click query builder its possible to create deployment-centric reports with multi-level grouping, sorting, filtering plus calculated fields using flexible Visual Basic syntax and full function library
  Stability and bug fixes
  Updated installers
  aaa-reports! enterprise v1.2 is a free upgrade for existing customers with a current support contract.
  Visit www.extraxi.com for full product details and a 60 day fully working trial.
  To see how aaa-reports! can help you meet your ACS audit requirements please take a look at this earlier post.

  bump

• AAA Reports

  Hi, need to provide a ACS reports that will include all commands entered on firewalls/switches/routers.
  Successfully setup acs for these network devices, basic AAA is working, can login failed/passed authentications, different level of authentication was correctly configured, but in reports i can see only commands that have been denied (have tested different user levels). How can i setup AAA to log all  commands  enterend by eg network device admins?

  Hi Ganesh, thanks for reply.Unfortunately
  i am still unable to see executed commands in tacacs+ accounting
  report. I have all report fields enabled, configuration is the same as
  you suggested but still no luck.  I setup shell command authorization
  set and can see if readonly users (which has rights to run only
  commands in readonly authorization set) trying to execute commands they
  are not authorize to run but cannot see all commands executed on the
  switch.This is really important to have a record who and when initiated what commands on network devices.07/16/2010,09:18:30,AAAServer,GRoup,SWITCHES,CAT3560-T,UserName,192.168.182.1,start,15,,,,,,2,(Default),,,shell,,,,,,,,,,,,,,UTC,,,,,,,,,,,,,,,,,,,,,,,,No,Login,1,6,192.168.182.20,tty1
  Any other suggestions?
  Hi,
  If your ACS version is 4.1 TACACS+ Command Accounting no longer works. No accounting records are visible in the TACACS+ Administration log (bug CSCsg97429).
  Click this link if you are using ACS Solution Engine: http://www.cisco.com/pcgi-bin/tablebuild.pl/acs-soleng-3des?psrtdcat20e2 and download:
  applAcs_4.1.1.23_ACS-4.1-CSTacacs-CSCsg97429.zip
  Hope to Help !!
  Ganesh.H
  Remember to rate the helpful post

• E5 DAC/Amp Win8 error "There is no supported audio device available"

  I've just received my Sb E5, and installed the software package (while the E5 was connected and charging) without "apparent" problems. However, if I start the software it will report a problem with reading the device, and if I use the menu and select "audio device selection" it will immediately report"
  "There is no supported audio device available"
  If I disconnect, the software's volume indicator will max, and then if I reconnect USB the volume will return to ~15%.
  Please advise ...
  TIA

  Have you installed all of the drivers:
  http://www.msi.com/product/mb/Z77A-G45.html#/?div=Driver&os=Win7%2064
  I don't see anything about the Sound Blaster Cinema 
  http://www.msi.com/product/mb/Z77A-G45.html#/?div=Overview
  Did you mean the z87-g45 gaming? http://www.msi.com/product/mb/Z87-G45-GAMING.html

• Extraxi Release aaa-reports! Enterprise v1.1

  In addition to all the reporting goodness in v1.0 we've just added:
  * Automated import of the ACS Database via dump.txt or package.cab
  * Database snaphots to allow unlimited data retention without compromising performance
  * Interactive web reporting
  aaa-reports! enterprise suite includes our log collection agent (csvsync) that downloads both logs and database to your schedule - works with multiple ACS versions and platforms for easy deployment.
  Free 90 day trial from <A HREF="javascript:newWin('http://www.extraxi.com')">http://www.extraxi.com</A>

  Hi Venkateswarlu,
  Please try the following link to download Crystal Reports.  I don't think you will be able to download CE 10 trail version.
  https://websmp230.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/bobj_download/main.htm
  For platform support, please read the supported platform document which comes with the product.
  Thanks,
  Sastry

• "No supported audio device available" ?

  Win7, Creative board is: sound blaster X-FI Extreme Gamer.
  Creative Consule shows the subject message whenever i try to open it. The creative player would show the same message but i re-installed it and it works fine.
  Trying re-install the driver gives the old "device not found" message. In device manager there are no problem devices found. It shows the creative card and 2 High definition audio devices as "Working".
  These are the driver/programs I am presently running:
  CMPlyr5_PCAPP_LB_5_25_02.exe
  CSL_PCAPP_LB_2_6_09.exe
  DDL_PCAPP_LB__3_00_-6.exe
  DTS_PCAPP_LB__03_08.exe
  SBXF_PCDRV_LB_2_8_003.exe
  Under Sound (Playback) I have the Speakers, Creative SB-XFi set as the default.
  For recording I have Digital-In Creative SB-XFI as the default.
  The music/videos plays just fine using any player that i have.
  Problem is: No supported audio device available. How do i correct this and have a working console?
  thank you,
  savagcl

  I am no expert, but does it help by installing it with an admin account in windows?
  (As opposed to any non-admin user accounts.)

• Get Window 10 app states Win 10 install impossible - no supported network device.

  The "Get Windows 10" app says that Windows 10 can't be installed on my Pavilion dv6 7014nr because I have no supported networking devices. Obviously I have generic, working networking devices. Windows Device Manager says that all of my networking devices have current drivers. The OS device manager says all of my devices have current drivers except my display adaptor--GeForce GT-650m.  I am reluctant to install the current driver because it does not come form HP and I do not want to break my laptop.  Besides, it not a networking device. A 6/24/15 forum post said the Get 10 app was reporting many HP laptops were being told they were not compatible with WIN 10 and the HP was investigating. What does this ambiguous networking device comment refer to?  Is there a next step?  Has HP any general advice for those who fail the MSoft prep app?

  same problem in my case too

• We have a router at home supposed to support 10 devices but when i try to connect my mac book pro it says another device is using your computer's ip address

  we have a router at home that is supposed to support 10 devices but when i try to connect my mac book pro it says another device is using my computer's ip address

  Are the IP addresses statically assigned (wrong ), or does the router give them out using DHCP (right )?

• Could not find supported audio device in AA3

  okay so i know its not a good idea to use AA3 with Vista...but other people are doing it so why can't I? I've seen the topic posted before but the threads are pretty much dead and I still have no helpful info. I've scoured this thing with no affective solution. I've installed AA3 on several systems in the past and never had this much trouble--if any. This problem has gone on for over 2 months now!
  Since I installed AA3 on my new computer all i can get and all i have ever gotten is the "AA could not find a supported audio device. Please check device settings" dialog--
  press okay (or x) and Audition closes---never getting past the loading window --during "initalizing required components"
  I have 3 audio devices/ with up to date drivers which all my other audio programs recognize (Audition 1.5, Sonor, Cubase + more) with no problem whatsoever--
  AA3
  Windows Vista SP1 64 bit
  Realtek HD Audio
  + Presonus FP10 digital firewire interface/preamp (kind of unrelated but aa3 still wont recognize it either apparently)
  I have installed all updates including the 64-bit SP1 fix for AA3.
  I've read the Realtek HD issue solutions and made sure my drivers are fine.
  IM DESPERATE----PLEASE!!!
  I'm having a recording studio built right now & AA3 is my main DAW so this is rather dire.---All the other DAW's i've tried suck compared to AA3 (with the exception of stability). hehe AA3 is always crashing on me and yet i still prefer it over other DAW's.

  I put the PreSonus StudiLive 16.4.2 plus Adobe Audition 3 setup instructions into a short write-up on my blog: Live Event Multitrack Audio Capture
  Here is a photo showing how to set up the Firewire channels for input and output
  I hope this helps:
  Ron Fredericks
  LectureMaker, LLC

• I have a Tritton TRI-BC200 hands free device that my iPhone 5 no longer "sees" on Bluetooth, so, I cannot pair the device. Anyone have a suggestion? Tritton no longer supports the device.

  I have a Tritton TRI-BC200 hands free device that my iPhone 5 no longer "sees" on Bluetooth, so, I cannot pair the device. Anyone have a suggestion? Tritton no longer supports the device.

  I had this problem and what I did was: read the user manual. I was actually using the wrong buttons to put the Tri-BC200 on pairing mode. I also boot my I phone. Everything worked OK. Regards.

• Hi, im trying to download pictures from my camera but when I connect the lightning to usb camera adapter i get the message that there is too much energy required to support the device, can anyone help me?

  Hi, I´m trying to use the lightning to usb camera adaper, but I get a message that ¨there is too much energy needed to support the device¨, so I can´t download my pictures, can anyone help me?

  This discussion may help.
  It mostly depends on the camera. Some cameras have a Transfer Mode, which does not attempt to charge while transferring pictures. does yours have such a setting?
  Alternatively you can try to plug a powered USB hub between the camera and the USB connector so the power is provided by the HUB rather than the iPad.
  Other than that, yes the Memory card reader may be a better option assuming your Camera uses Secure Digital (SD) type memory cards.

• Does ISE 1.1 support TACACS and H-REAP?

  Hello,
  Does ISE1.1 support TACACS/TACACS+ and H-REAP mode ?
  Also, customer wants to have quick access to the corporate network with some few laptops without going through the Actice Directory? Any suggestion on this?
  Thanks
  Olu

  EAP-TLS does not rely on AD.
  CA root cert is installed on ACS for trust and identity.
  you can elect to Perform Binary Certificate Comparison with Certificate retrieved from LDAP or Active Directory
  Users and Identity Stores >
  Certificate Authentication Profile >
  Edit: "CN Username"
  see the checkbox at the bottom.
  I do EAP TLS machine auth only without integrating AD into the policy at all.
  hth,
  jk

• [ANE] Repacking for simulator and fake support of device

  Hello,
  I have a question about anes, here is my problem : Some of the anes I use don't have simulator support or all-device support (only android, only iOS,...)
  In my code, I of course test the device before calling anything so its fine from a runtime point of view (never had a runtime issue).
  But, it does refuse to compile/launch. I know I could use multiple projects, compiler constants for imports, blablabla, but the best way to increase productivity would be to have them support all-device and simulator even if they do nothing with it.
  So what I tried :
  - rename ane as zip
  - edit extensions.xml, add proper stuff
  - rezip and rename back, and of course, don't call anything in the ane if you know your support is just "fake" for that device
  It works for simulator BUT if I use the rezipped ane in a iOS build (which was supported), it refuses to build a release. So I have to switch ane back and forth.
  It doesn't work if trying to add iOS support (well it compiles but when installing on device, install never ends). I tried adding a fake library.swf for iOS with only empty functions but didn't work.
  Haven't encountered the case where I need to add new Android support so I can't say for that one.
  Anyone knows of a quick way (which doesn't involve recreating all the concerned anes, since I don't have source code for them) ? Would create a huge productivity boost here.
  I hope question is clear enough.

  Understand that I'm not going to tell you that what you want is wrong. There's nothing wrong with wanting Flash on a tablet. The only problem is that the future of Flash no longer exists for tablets.
  fredfromewa wrote:
  So, does anyone know if real Java and Flash support is indeed coming in the future or am I going to have to either return or sell these IPADS and go switch a competitor...
  You can go to a competitor, but it won't help you in the long run since Adobe Flash on mobile is dead, and by the hand of Adobe themselves, not Apple. Here's the official announcement from 2 months ago:
  Adobe Abandons Mobile Flash, Backs HTML5
  You do have one alternative left: Buy a Windows-based tablet now. Why now? Because in mobile versions of Windows 8, Microsoft will no longer allow plug-ins like Flash:
  Microsoft Follows Apple, Bans Flash From Windows 8 Tablet Software
  In fact, even Microsoft's own Flash competitor, Silverlight, will not be allowed to run in tablet versions of Windows 8, only in desktop Windows.
  In the end, your last alternative will be to buy a Windows-based tablet that, ironically, does not run the tablet version of Windows, and then never upgrade it to Windows 8 mobile. You will probably be able to be run Flash then. But since the tablet will run desktop Windows, have fun with 30 minutes of battery life, maybe less after you boot Flash...
  fredfromewa wrote:
  ....they could easily have a much larger majority of the market with tablets by supporting Java and Flash.
  Uh...all the way up to now, the iPad practically has the entire tablet market to itself. How is it possible that Flash would have made that significantly larger?
  Seen from a different perspective...how is it that all the tablets that support Flash have completely failed to make a dent in the tablet market?
  Neither angle seems to support what you're saying.