Command accounting for SNMP config

We can use TACACS+ and ACS to do the command accounting for EXEC shell commands executed. But what abount configuration changed by SNMP set? How to find out which OIDs set by NMS tools?
Thanks!

Well radius accounting is supported on ACS so if your aaa client is accounting the commands, then they will appear on ACS without problem.

Similar Messages

  • Aaa accounting for config-mode commands

    How to account commands entered in config-mode via TACACS+ ?
    aaa accounting commands 15 default start-stop group tacacs+
    does accounting for all commands in privilege level 15.
    Best Regards
    Carsten

    Carsten
    I am not clear what your question is. From the title I gather that you are looking for a way to have accounting records for commands entered in config mode. The answer to the question is to enable accounting for level 15 commands which include the config commands. All of which is included in your message. So what is the question?
    If the question is how to get just the config commands without all the other level 15 commands I am not aware of any way to get just the config commands.
    HTH
    Rick

  • Need solution for SNMP Service on Solaris

    Hi Friends,
    We use the solaris servers. For SNMP we have changed the Default Password of SNMP Service.
    We audited our Servers doing the Penetration Testing (PT). In this activity it was reported the SNMP is using the default password. They had the tool "Getif" for SNMP testing. If the default password are set for SNMP service this toll reads the important information. If defaults passwords are not used it cannot read any information about SNMP.
    When i change the default password for SNMP, should i restart the the service to take changes in effect?
    Pls help

    Hi taher;
    Thanx buddy. You are really helping us out. I just try to share my knowledge wiht forums user i also already learn many thing from forums,as specialy Hussein Sawwan
    I have two more doubts. Like in linux we use which command to see if that executable is in the PATH but in Solaris 10 is whence a replacement for that.I belive You can use which command in solaris too.
    Q2). I dont think i need to go for split architecture as both the DB (11i) and application tier are certified for solaris *10* SPARC (64-bit).You should decide it not me :) you can use split config if your business need it or not. Its just depend your analysis
    I hope; my answer would be answer of your quesition and give you some idea about your issue :)
    Regard
    Helios

  • Vpdn: searching for snmp oid to log out vpdn session

    Hello colleagues,
    Cisco 7204 works as vpdn server.
    There are two problems:
    1) I'm searching for snmp oid to log out , terminate vpdn session
    2) radius server does not receives snmp statistics of incoming traffic of vpdn users.
    Please is anyone able to assist me?
    aaa new-model
    aaa authentication login default local
    aaa authentication ppp default group radius local
    aaa authentication ppp VPDN local group radius
    aaa authorization network default local group radius
    aaa accounting delay-start
    aaa accounting update periodic 3
    aaa accounting exec default start-stop group radius
    aaa accounting network default start-stop group radius
    aaa session-id common
    vpdn enable
    vpdn-group 1
    ! Default PPTP VPDN group
    description HOMENET
    accept-dialin
    protocol pptp
    virtual-template 3
    interface Virtual-Template3
    ip unnumbered Loopback1
    peer default ip address pool vpdn-pool
    no keepalive
    ppp authentication chap VPDN
    snmp-server community xxxxxxx RW
    snmp-server chassis-id 0x0E
    snmp-server enable traps tty
    radius-server host x.x.x.x auth-port 1812 acct-port 1813
    radius-server timeout 60
    radius-server key 7
    radius-server authorization permit missing Service-Type
    Best regards, Petr Akimov

    Hello –
    I received a reply from the developer of the script, and listed below is the new code that was suggested:
    #!/bin/bash
    value=`snmpwalk $1 -v1 -c $2 .1.3.6.1.2.1.25.1.5.0 | cut -d " " -f4`
    if [[ value -gt  $3 ]]
    then
    echo " $value Users Online, Critical!"
    retval=2;
    else
         if [[ $value -gt $4 ]]
               then
               echo " $value users online, Warning!"
               retval=1;
               else
               echo " $value Users online, fine."
               retval=0;
               fi
    fi
    exit $retval;
    I checked the server in question, and there were two, 2, user logins active on the system. I ran the snmpwalk command, and the output was the following:
    HOST-RESOURCES-MIB::hrSystemNumUsers.0 = Gauge32: 15
    I then modified the script to include the above text, and ran it again. The output was the following:
    15 users on line, Normal.
    For some reason, the value of 12 appears to be that for no users logged into the system. I am not sure why that is the case.
    If nothing else, progress has been made with the modification of the script.  The snmp service that I have installed on the server is that which came bundled as a
    feature with the server. The only thing that was not installed was the SNMP WMI Provider option.

  • Command accounting with ACS

    HOw can I achive command accounting via acs I have configured devices as below but no luck
    aaa accounting exec aaa-list start-stop group bwaaa
    aaa accounting commands 1 aaa-list start-stop group bwaaa
    aaa accounting commands 15 aaa-list start-stop group bwaaa
    aaa accounting system default start-stop group bwaaa
    any idea about it

    Hi, I am using 4.2 version appliance. I am using tacacs+ u can s below config for your reference
    aaa new-model
    aaa group server tacacs+ bwaaa
    server 10.2.6.1
    server 10.2.6.2
    ip tacacs source-interface Vlan1111
    aaa authentication login aaa-list group bwaaa local
    aaa authentication enable default group bwaaa enable
    aaa authorization exec aaa-list group bwaaa local
    aaa accounting exec aaa-list start-stop group bwaaa
    aaa accounting commands 1 aaa-list start-stop group bwaaa
    aaa accounting commands 15 aaa-list start-stop group bwaaa
    aaa accounting system default start-stop group bwaaa
    aaa session-id common
    tacacs-server host 10.2.6.1 timeout 25
    tacacs-server host 10.2.6.2 timeout 25
    tacacs-server timeout 25
    tacacs-server directed-request
    tacacs-server key cisco123

  • CSCtg09895 - percentMGBL-exec-3-ACCT_ERR main: command accounting failed

    Dear fellows,
    I am facing below problem in one of ASR 9010 router while configuring .  I am unable to config anything after entering any command this error shows up 
    RP/0/RSP0/CPU0:hostname(config)#interface TenGigE0/1/0/0
    RP/0/RSP0/CPU0:Jan 15 12:48:41.186 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed -  - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
    RP/0/RSP0/CPU0:(config-if)# description # TO-Remote_site
    RP/0/RSP0/CPU0:hostname(config-if)#RP/0/RSP0/CPU0:Jan 15 12:48:41.263 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed -  - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
    RP/0/RSP0/CPU0:hostname(config-if)#commit
    Thu Jan 15 12:48:50.521 IST
    RP/0/RSP0/CPU0:Jan 15 12:48:50.521 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed -  - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
    it is not allowing even to commit any change
    and unable to find any online solutions for this.
    please help
    following packages are active right now
     disk0:asr9k-doc-px-4.3.4
        disk0:asr9k-fpd-px-4.3.4
        disk0:asr9k-k9sec-px-4.3.4
        disk0:asr9k-mcast-px-4.3.4
        disk0:asr9k-mgbl-px-4.3.4
        disk0:asr9k-bng-px-4.3.4
        disk0:asr9k-mini-px-4.3.4
        disk0:asr9k-mpls-px-4.3.4

    it is a fresh installation and the device is not connnected to ny network yet. 
    I am facing below problem in one of ASR 9010 router while configuring .  I am unable to config anything after entering any command this error shows up
    RP/0/RSP0/CPU0:hostname(config)#interface TenGigE0/1/0/0
    RP/0/RSP0/CPU0:Jan 15 12:48:41.186 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed -  - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
    RP/0/RSP0/CPU0:(config-if)# description # TO-Remote_site
    RP/0/RSP0/CPU0:hostname(config-if)#RP/0/RSP0/CPU0:Jan 15 12:48:41.263 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed -  - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
    RP/0/RSP0/CPU0:hostname(config-if)#commit
    Thu Jan 15 12:48:50.521 IST
    RP/0/RSP0/CPU0:Jan 15 12:48:50.521 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed -  - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
    it is not allowing even to commit any change
    and I am unable to find any online solutions for this.
    please help
    following packages are active right now
    disk0:asr9k-doc-px-4.3.4
        disk0:asr9k-fpd-px-4.3.4
        disk0:asr9k-k9sec-px-4.3.4
        disk0:asr9k-mcast-px-4.3.4
        disk0:asr9k-mgbl-px-4.3.4
        disk0:asr9k-bng-px-4.3.4
        disk0:asr9k-mini-px-4.3.4
        disk0:asr9k-mpls-px-4.3.4
    PS: please tell what more output are needed so that this problem can be solved.

  • Commands accounting.

    Hello.
    I'm using this configuration for commands accounting with Cisco Secure ACS. When the first server fails, the second AAA server doesn't report any accounting records in T+ Administration, using the broadcast keyword also.
    Many thanks for suggestions.
    Regards.
    Andrea
    aaa new-model
    aaa group server tacacs+ CiscoSecureACS
    server 10.4.44.74
    server 10.4.44.75
    aaa authentication login default group CiscoSecureACS local
    aaa authentication enable default group CiscoSecureACS enable
    aaa authorization console
    aaa authorization config-commands
    aaa authorization exec default group CiscoSecureACS local
    aaa accounting send stop-record authentication failure
    aaa accounting exec default start-stop group CiscoSecureACS
    aaa accounting commands 15 default start-stop group CiscoSecureACS
    aaa accounting connection default start-stop group CiscoSecureACS
    tacacs-server host 10.4.44.74 single-connection timeout 5
    tacacs-server host 10.4.44.75 single-connection timeout 5
    tacacs-server directed-request

    Using some debug and log I can verify that AAA server receives the accounting packet and replies but doesn't record it on file.
    Any ideas?
    Thanks.
    Andrea

  • Tacacs authentication fails for one user account for only one switch

    Hi,
    I am having an scenario, where as Tacacs authentication fails for one user account for only one switch.
    The same user account works well for other devices.
    The AAA configs are same on every devices in the network.
    Heres the show tacacs output from the switch where only one user account fails;
                  Socket opens:        157
                 Socket closes:        156
                 Socket aborts:        303
                 Socket errors:          1
               Socket Timeouts:          2
       Failed Connect Attempts:          0
            Total Packets Sent:       1703
            Total Packets Recv:       1243
              Expected Replies:          0
    What could be the reason ?
    No errors on ACS server; same rights had been given to the user account.
    Thanks to advise.
    Prasey

    Hi there,
    Does the user get authenticated in the ACS logs?
    reports and activity----> failed attempts
    ro
    reports and activity----->  passed authentications
    That will help narrow it down.
    Brad

  • I cant use facetime. but my sister can. we share the same account for itunes.but when i go to face itme and click on create a new account a blank screen pops up. what do i do?when i go to make a new facetime account nothing comes up

    i cant use facetime. but my sister can. we share the same account for itunes.but when i go to facetime on my ipod touch and click on create a new account a blank screen pops up and the only thing it says is cancel and account.  what do i do?

    Please follow these directions to delete the Mail "sandbox" folder.
    Back up all data.
    Triple-click the line below to select it:
    ~/Library/Containers/com.apple.mail
    Right-click or control-click the highlighted line and select
    Services ▹ Reveal
    from the contextual menu.* A Finder window should open with a folder named "com.apple.mail" selected. If it does, move the selected folder — not just its contents — to the Desktop. Leave the Finder window open for now.
    Quit and relaunch Mail, and test. If the problem is resolved, you may have to recreate some of your Mail settings. You can then delete the folder you moved and close the Finder window. If you still have the problem, quit Mail again and put the folder back where it was, overwriting the one that may have been created in its place. Post your results.
    Caution: If you change any of the contents of the sandbox, but leave the folder itself in place, Mail may crash or not launch at all. Deleting the whole sandbox will cause it to be rebuilt automatically.
    *If you don't see the contextual menu item, copy the selected text to the Clipboard (command-C). In the Finder, select
    Go ▹ Go to Folder...
    from the menu bar, paste into the box that opens (command-V). You won't see what you pasted because a line break is included. Press return.

  • Creating more than one account for a single user

    I was wondering, if I creat more than one account for me (the only person that uses my powerbook) is that going overboard? I mean, lets say I am logged into the standard account and I want to learn more about the bash shell and using terminal which I am new to, if I **** something up will the whole system be toast or will only things in that account be messed up? Like could I then just log into my admin account and delete the other messed up one? Or no? My theory was that this was a way of keeping my comp safe from myself, being that I am new to macs and moreso that I am new to the unix side of things and want to start learning the command line without worrying about screwing up my whole system. I would just use the standard account for everyday use (like what I do now) or experiment with terminal, and when I need to download something or change some settings that requires me to be logged in as admin then I would log in and download what I need then log out and use it in the standard account...am I just wasting my time? Is what I am doing any "safer" than just having one admin account and thats it?
    Thanks for all the help! It feels good to be a part of the goodguys team =)
    Thanks again!

    Ghost,
    First, I don't subscribe to the "one should not use an admin account" philosophy. For someone who is the owner and main user of any given machine, I see the use of anything but an admin account a bit anal, totally unecessary, and needlessly complicating.
    On the other hand, I don't see the need for more than one admin account on any given machine. Yes, I see exceptions to this, and many people favor having a second admin account as a "backup," but I have never had more than one admin account on any of my machines, and have never encountered a situation where one would have helped.
    In short, I like the idea of having a "main" admin account that is used most of the time, and then having "secondary" accounts (all non-admin) for any additional users that might log in.
    Now, any limitations that apply to you as a GUI user of an account, admin or not, will apply to you at the command line as well. In other words, you can't get yourself into any more trouble at the command line than you can within the GUI. In fact, you might even be better protected at the command line than you are in the GUI. I say this because any action that would ordinarily "elevate" you above the standard capabilities of a non-admin user require the use of "sudo." Avoid the use of sudo, and you can avoid any problems.
    That doesn't mean that you wouldn't be able to do something stupid that might wreck an account that contains "all of your stuff," and on which you depend. It is not likely that you would damage your System, but it is entirely conceivable that you might, for example, accidently delete or overwrite your entire HOME folder. Oops!
    If you simply don't trust yourself with the command line, a second account might be a good place to experiment. Maybe create it as a non-admin account at first, with the option to change it to an admin account at a later time, when you want to learn how to use "sudo" to do more powerful things. By then, you will understand what not to do. Eventually, you will have the confidence to use the command line in your own account, which will have been an admin account all this while.
    Scott

  • Creating a default User account for new users

    Today I tried creating a default setting for and account that could be used for all new users.  I did web searches after web serches and not luck.  In the old systems it was simple, but Mavericks made it difficult.  But after much hair pulling and putting several suggestions together it is just as simple as it was before.
    Step 1 Create a new user account
    Step 2 log on to that account and set it up totally, that means background picture, preferences, dock, everything
    Step 3 click on the home incon in a finder window then go to Finder view select view options and at the bottom check show library
    Step 4 go to HD>system library>user templates, you will need to select the file, Command I for info, unlock the lock, click + at bottom select your admin account, give youself read write permissions, go click on the folder you wish/need to change and get info and repeat the step above for each folder.
    Step 5 replace the library folder and any other you wish to change with the one from the new account
    Step 6 you can also place any documents on the desktop or document folder and replace them
    Step 7 create a new user account and verify that the settings and dock are correct.
    This takes about 5 minutes or so and is much easier for the non pro

    I don't always understand how things can be different from one computer to the other running the same systems and following the same steps but I have 2 iMac's and the steps above for the desktop picture worked on one but not on the other, go figure.  So as a fix the default picture was named Wave in the Desktop Picture folder so I changed the name of it to Wave1 and renamed the new photo Wave,  did not change the alias in the CoreService folder, now the second computer creates and new user account with all my perferred settings and background picture.
    As a recap of my orginal post by creating a default user account, setting up the preferences for finder, and setting up the dock, I simply replaced the preference folder in the User Template file and it works perfectly.  Remember that you can do the same with the Document folder or the desktop if you want to place them for all new users. 
    Since I am not a professional computer person I do not feel comfortable using the terminal or scripting so this works very well for the common person to create a new user template.

  • Sending email from a domain that I own (but no account for it on iPhone)

    iOS 8.1.3, iPhone 6
    I'd like to be able to send email from the iPhone's mail app  using a FROM address of [email protected] I own mydomain.com and abc has an email account there.
    But I don't want to install an account for [email protected] on the phone (it's a POP account which would involve a lot of fetching, among other reasons).
    Any way to accomplish this on the iPhone?
    (FYI, GMail allows this, and provides a procedure for verifying that the user actually controls the email address.)
    Thanks / Tom

    Thanks, that works!
    Well, not exactly. I had to fill in the outgoing server settings, but used a bad password. The iPhone reported that the account might not work properly, but it did light up DONE and I was able to save the config.
    So now when I'm in an app that allows email, I can scroll through the available "FROM" settings and pick the one I need.
    (I just hope this is not taking advantage of a bug in the setup dialog which Apple will close in a future release.)

  • How to find out if the company account for developing windows store apps is verified/approved?

    We have created the account for windows store app. How can I find out if the account was approved (the identity of the company)? 

    Hi,
    There is one more method,i know
    Set the JAVA_HOME and PATH
    then execute the
    $WL_HOME\wlserver_10.3\server\bin>setWLSEnv.cmd
    Go to directory which contains weblogic.jar ($WL_HOME\server\lib) and run below command
    $WL_HOME\wlserver_10.3\server\lib>java -cp weblogic.jar weblogic.version
    WebLogic Server 10.3.4.0 Fri Dec 17 20:47:33 PST 2010 1384255
    Hope this will be helpful,
    Regards
    Fabian

  • GL account for WRX - GR/IR Clearing Account

    Dear All,
    We have a common material which will be purchased through domestic an import PO. Valuation Class is assigned for the material in OBYC for a GL account.
    Requirement is to have different GL account for WRX when material is purchased through domestic PO or Import PO.
    Can we achieve by General Modifier in WRX and also we need 1) enhancement or through 2) Standard config we can assign different General Modifier to different type of purchase of material?
    Kindly let me know best possible solution to achieve the requirement.
    Regards
    Vikas

    In your case you need to stop this material code what it is running currently and close all the opens documents and make the stock as zero.
    Later you need to activate split valuation first  and  assign the valuation category domestic and import for that material with two different valuation class so you can differentiate the values in accounts...
    For more info on split valuation refer the below link...
    Split Valuation - Valuation Category "X" - Contributor Corner - SCN Wiki

  • Seperate GL account for rentention amount using Instalment payment?

    We have an interesting issue, our client is having a requirement regarding installment payment. Please find below the scenario. We hope to get some ideas in this regard.
    We are using payment term with settings for installment payment.
    Example: Payment term Y001 – Installment payment, Y002 – Installment payment 90% and Y003 – Installment payment 10%.
    Invoice Amount : 1000
    90 % outstanding for immediate payment : 900 (to be accounted in Vendor reconciliation account)
    10% retention till tax certificate produced : 100 (to be accounted under separate retention GL account)
    While posting invoice through MIRO & FB60, our client wants to split the amount in to two parts  90% outstanding to the Vendors and retain 10% of the invoice value till the tax returns certificate is produced. Presently Amount splitting is made to take care of this using a payment block in payment term Y003. This helps in retaining 10% of the amount till the tax paid certificate is produced.
    Postings are happening with the split amount, to the reconciliation account maintained for the Vendors. This is presently showing the total payables towards vendors. But for statutory reporting purpose, we now need to maintain a separate GL account for the retention amount. This is again required to be a Vendor reconciliation account for control over outstanding amounts with respect to respective vendors.
    We are exploring different alternatives to get this done. Please advice if you have come across any such scenario.
    Thanks in Advance.
    Regards,
    Viswanath

    I understand when you use your Installment payment term, system must be posting two lines for vendor i guess must be like;
    Expense                      Dr.   1000
         Vendor                                     Cr. 900
         Vendor                                     Cr. 100
    Ok eventually both 900 and 100 goes to the same GL (Reconciliation)Account but your client wants that the 100 should goes to other GL accounts.
    One of our collegue in this forun has answered you to use Special Gl Indicator, the solution upto some extent ok but i guess you will loose the automation of amount splitting which 900 and 100.
    So i would advice you the following;
    Create one Retention Reconciliation Account
    Configure Alternative/Reconcilation Account in the IMG ( This config allows you to change reconciliation account while posting invoice )
    So at time when you simulate your accounting entry double click on 100 line and manually enter the retention GL Account. I guess the solution is manual and painfull but if special gl indicator can be used with automation then you must go with that
    regards,
    FICO

Maybe you are looking for

  • I have two itunes accounts because I used a second email address by mistake as an id.  Can I merge them?

    I have two iTunes accounts because I used a second email id by mistake years ago and have lived with it ever since.  How can I merge them to access all my music in one place?

  • Mapped logical system

    Hi Experts, I have a confusion to use the type of RFC connection like when to use ABAP connection and TCP/IP connections etc... I have defined one logical system and define one RFC destination and when  i am trying connect this two it is asking me to

  • My photoshop crash 4 times or more a day

    it crashes to the point that photoshop can't be open any longer. I have to uninstall and reinstall it agains. I have Photoshop CC with Maverick OS. Here are the dianostic report. I also submit the issue when it crash to adobe (the report box appear a

  • Negative Color on Apple 17" DVI to ADC Box

    Hello all, I would like to get any help with my 17" Apple LCDs. I have a G5 2.0 with a ATI 9600 Pro 64 megs video card, one ADC and one DVI port. I have the Apple converter DVI to ADC with both USB and DVI cable. It adds power to the Monitors also. I

  • How to keep last line together with table?

    Hi guys, I am new to Reports , so please excuse me for probably primitive question. I am creating consolidated invoices report consisting of invoice date + 2 last lines of company signature like Yours, XXYYY Ltd. Depending on number of lines in invoi