Command accounting w/ RADIUS
Not having much luck getting this to work and searching the forums here everybody seems to say it is not possible unless TACACS+ is used. Is this still the case? I see the AAA/ACCT/CMD in the debug on the local switch but the RADIUS server never receives the data string except for the authentication entry.
Any way to re-classify the AAA/ACCT/CMDs and send in a syslog trap/log?
Looking for creative solutions here, TACACS+ is not available in this case.
Thanks
Hi,
Unfortunately you can not log any AAA information to syslog.
Now you may ask why IOS CLI allows to configure command accounting via RADIUS when it is not supported. Well, this is indeed an IOS caveat which is described in CSCdp57020 'parser should not show radius as an aaa accounting commands option' and resolved in 12.2 based IOS trains (ref. Bug Toolkit on Cisco.com).
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?caller=pluginredirector&method=fetchBugDetails&bugId=CSCdp57020
Regards,
~JG
Do rate helpful posts
Similar Messages
-
Does "aaa accounting commands" not support radius?
When I issue this command:
aaa accounting commands 15 default start-stop group myradiusgroup
I get this error: %AAAA-4-SERVNOTACPLUS: The server-group "myradiusgroup" is not a tacacs+ server group. Please define "myradiusgroup" as a tacacs+ server group.
No where in the documentation could I find anything saying the "commmands" accounting type is only available to tacacs+. Does aaa not support this accounting type for radius?Hi Red,
The Cisco implementation of RADIUS does not support command accounting. So that's the reason you are getting that error. Please use TACACS if you want to use this.
Regards,
Kanwal
Note: Please mark answers if they are helpful. -
Hi all, can someone tell that can we perform accounting through radius as we can do with tacacs ? I tried doing this but kindly see below
R1(config)#aaa accounting commands 15 default start-stop group ?
WORD Server-group name
tacacs+ Use list of all Tacacs+ hosts.
In options i am not given Radius !! why is that so ? cant accounting be achieved through radius server ?Radius only supports start/stop accounting. Command accounting supported by tacacs.
Regards,
~JG -
Command Accounting & Logging on ISE
Hi Guys,
Does ISE support Commands Accounting and logging on network devices.
Thanks,
Muayad Jallad,The Cisco Systems implementation of RADIUS does not support command accounting. TACACS does support it, ISE with TACACS is expected in 2.0 release which is in roadmap.
-
Command accounting for SNMP config
We can use TACACS+ and ACS to do the command accounting for EXEC shell commands executed. But what abount configuration changed by SNMP set? How to find out which OIDs set by NMS tools?
Thanks!Well radius accounting is supported on ACS so if your aaa client is accounting the commands, then they will appear on ACS without problem.
-
Hi:
I want to use something like "command accountig" in pix 525; I mean I want to know what commands was executed or typed by administrator.
Somebody knows if it is possible in PIX? My pix version is 6.3.3.
Thank you.I could find the following information for ver 6.2. I guess it is applicable to 6.3 too. http://www.cisco.com/warp/public/110/pix_command.shtml#accounting Basically, actual command accounting is not available. However, you can generate some sort of a record using syslog.
-
Hi,
Is there any way to enable command accounting except TACACS ?.Command accounting is a feature of TACACS and is not supported by any other protocol.
Regards,
~JG -
HOw can I achive command accounting via acs I have configured devices as below but no luck
aaa accounting exec aaa-list start-stop group bwaaa
aaa accounting commands 1 aaa-list start-stop group bwaaa
aaa accounting commands 15 aaa-list start-stop group bwaaa
aaa accounting system default start-stop group bwaaa
any idea about itHi, I am using 4.2 version appliance. I am using tacacs+ u can s below config for your reference
aaa new-model
aaa group server tacacs+ bwaaa
server 10.2.6.1
server 10.2.6.2
ip tacacs source-interface Vlan1111
aaa authentication login aaa-list group bwaaa local
aaa authentication enable default group bwaaa enable
aaa authorization exec aaa-list group bwaaa local
aaa accounting exec aaa-list start-stop group bwaaa
aaa accounting commands 1 aaa-list start-stop group bwaaa
aaa accounting commands 15 aaa-list start-stop group bwaaa
aaa accounting system default start-stop group bwaaa
aaa session-id common
tacacs-server host 10.2.6.1 timeout 25
tacacs-server host 10.2.6.2 timeout 25
tacacs-server timeout 25
tacacs-server directed-request
tacacs-server key cisco123 -
Is Command Accounting available on MDS 9216.
We use Command Accounting on our Catalyst Switches to capture the commands entered on the switches for auditing purposes. Entered commands on the Catalyst switches are captured on Cisco ACS server and we can see who has done what under the "TACACS Administration" logs of ACS. Is this feature available on MDS switches as well.Command accounting is available on the MDS platform as well. This could utilize the same TACACS+ backend you have for your Catalyst network.
You also will have very detailed control over who has access to what commands with Roles Based Access Control.
Dan -
Command Accounting Failure on my PIX
Hi,
I am configuring my PIX ver 7.2(2) for command accounting using the "aaa accounting command" command but I am not able to see any accounting information on my ACS 4.1 build 23 server!
Although authentication for this PIX is working just fine and the accounting is also working perfectly for other IOS devices, accounting for the PIX is not giving any results when browsing to the TACACS+ administration page!!
I am posting the PIX show-tech for your referecne!
Appreciate your support here!
BR,
HaithamHi Rohit,
Thank you so much, you were absolutely right. The accounting problem was due to the bug CSCsg97429 and the problem was resolved after applying the patch: applAcs-4.1.1.23.1.zip
Thanks,
Haitham -
CSCtg09895 - percentMGBL-exec-3-ACCT_ERR main: command accounting failed
Dear fellows,
I am facing below problem in one of ASR 9010 router while configuring . I am unable to config anything after entering any command this error shows up
RP/0/RSP0/CPU0:hostname(config)#interface TenGigE0/1/0/0
RP/0/RSP0/CPU0:Jan 15 12:48:41.186 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed - - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
RP/0/RSP0/CPU0:(config-if)# description # TO-Remote_site
RP/0/RSP0/CPU0:hostname(config-if)#RP/0/RSP0/CPU0:Jan 15 12:48:41.263 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed - - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
RP/0/RSP0/CPU0:hostname(config-if)#commit
Thu Jan 15 12:48:50.521 IST
RP/0/RSP0/CPU0:Jan 15 12:48:50.521 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed - - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
it is not allowing even to commit any change
and unable to find any online solutions for this.
please help
following packages are active right now
disk0:asr9k-doc-px-4.3.4
disk0:asr9k-fpd-px-4.3.4
disk0:asr9k-k9sec-px-4.3.4
disk0:asr9k-mcast-px-4.3.4
disk0:asr9k-mgbl-px-4.3.4
disk0:asr9k-bng-px-4.3.4
disk0:asr9k-mini-px-4.3.4
disk0:asr9k-mpls-px-4.3.4it is a fresh installation and the device is not connnected to ny network yet.
I am facing below problem in one of ASR 9010 router while configuring . I am unable to config anything after entering any command this error shows up
RP/0/RSP0/CPU0:hostname(config)#interface TenGigE0/1/0/0
RP/0/RSP0/CPU0:Jan 15 12:48:41.186 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed - - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
RP/0/RSP0/CPU0:(config-if)# description # TO-Remote_site
RP/0/RSP0/CPU0:hostname(config-if)#RP/0/RSP0/CPU0:Jan 15 12:48:41.263 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed - - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
RP/0/RSP0/CPU0:hostname(config-if)#commit
Thu Jan 15 12:48:50.521 IST
RP/0/RSP0/CPU0:Jan 15 12:48:50.521 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed - - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
it is not allowing even to commit any change
and I am unable to find any online solutions for this.
please help
following packages are active right now
disk0:asr9k-doc-px-4.3.4
disk0:asr9k-fpd-px-4.3.4
disk0:asr9k-k9sec-px-4.3.4
disk0:asr9k-mcast-px-4.3.4
disk0:asr9k-mgbl-px-4.3.4
disk0:asr9k-bng-px-4.3.4
disk0:asr9k-mini-px-4.3.4
disk0:asr9k-mpls-px-4.3.4
PS: please tell what more output are needed so that this problem can be solved. -
Hello.
I'm using this configuration for commands accounting with Cisco Secure ACS. When the first server fails, the second AAA server doesn't report any accounting records in T+ Administration, using the broadcast keyword also.
Many thanks for suggestions.
Regards.
Andrea
aaa new-model
aaa group server tacacs+ CiscoSecureACS
server 10.4.44.74
server 10.4.44.75
aaa authentication login default group CiscoSecureACS local
aaa authentication enable default group CiscoSecureACS enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group CiscoSecureACS local
aaa accounting send stop-record authentication failure
aaa accounting exec default start-stop group CiscoSecureACS
aaa accounting commands 15 default start-stop group CiscoSecureACS
aaa accounting connection default start-stop group CiscoSecureACS
tacacs-server host 10.4.44.74 single-connection timeout 5
tacacs-server host 10.4.44.75 single-connection timeout 5
tacacs-server directed-requestUsing some debug and log I can verify that AAA server receives the accounting packet and replies but doesn't record it on file.
Any ideas?
Thanks.
Andrea -
Adding Local User Account Alongside RADIUS
Greetings!
Currently every Cisco device authenticates with a RADIUS server we have on campus. I'm trying to add a local user account onto our switches and routers so that if the RADIUS server is unavailable or the switch looses connection we are able to use another login to access what we need. However when I add aaa authorization and authentication commands (no default) I think the switch cannot identify what is a RADIUS login and what is a local login. Depending on how we move commands around local will work and RADIUS will not, or RADIUS will work and local will not. Any suggestions on how to get both to work at the same time?
Thanks!
-NoahPerhaps I do not have a correct understanding of what you are asking. But let me explain a little and if that does not address your issue then perhaps you can provide some clarification.
You can not have Radius and the local account work at the same time - at least not in the sense that you can login and enter either one and expect it to work. What you can do (and what most people do) is to define one as primary (usually Radius) and one as backup (usually local account). Then when you attempt to login the device will attempt to use Radius, and if the Radius server is not available then it will use the local account.
If that does not clarify your issue then please help us understand better what your issue is.
HTH
Rick -
Cisco 2960-X & ISE accounting- username Radius attribute missing
Hi,
I'm facing an issue with cisco 2960 switch radius accounting with Cisco ISE1.2.1 .here is my senario:
- Username (vendor1) is configured in ISE local database, under group (VENDOR)
- Authentication protocol : wired MAB
- Authentication method : webauth using guest portal , the user is a vendor , so no dot1x configured on his NIC .
the problem is that , the switch is not sending the username as a part of radius attribute , in the authentication log , the username shown as the MAC address of the user machine , therefor , I can not configure my authorization condition using internaluser:Name Equal vendor1
while if I configure the condition using the identity group condition IdentityGroup:Name Equal VENDOR , it works .
The same configuration is working on 3750 switch with no issue .
Here is my Switch config:
aaa authentication login default local
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
aaa accounting update periodic 5
username admin password
username radius-test password
aaa server radius dynamic-author
client 172.16.2.20 server-key 7 04490A0206345F450C00
client 172.16.2.21 server-key 7 03165A0F0F1A32474B10
radius server ISE-RADIUS-1
address ipv4 172.16.2.20 auth-port 1812 acct-port 1813
automate-tester username radius-test idle-time 15
key 7 111B18011E0718070133
radius server ISE-RADIUS-2
address ipv4 172.16.2.21 auth-port 1812 acct-port 1813
automate-tester username radius-test idle-time 15
key 7 0214055F02131C2A4957
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail
radius-server dead-criteria time 5 tries 3
radius-server vsa send accounting
radius-server vsa send authentication
any help !!!Thanks for your reply , I know what's MAB , if you read my explanation again , i mentioned that the user is authenticated in the guest portal which mean that I have web authentication , and it is working fine .. The only issue is that I can not use the vendor1 username as part of authorization condition and this is because the switch is not sending the radius attribute type 1 to the ISE , thus , on the ise authentication log the MAC address of the client machine is shown as a username not the actual username ( vendor1)
as I mentioned also , I have exactly the same setup with ise 1.2 and 3750 switch and I do not have this issue .I experience this with 2960x only . -
Anyconnect session accounting via radius or syslog ?
Hi
Does anyone have a deployed accounting method to log Anyconnect session details ? Do you do it via a radius server or via logging messages to a syslog server ?
If so could you assist with appropriate configuration ? I am looking to log successful and unsuccessful authentications as well as session length, log on and log off times.
I've been playing around with Anyconnect authenticating to AD via ACS 5.1 but can't seem to get the accounting details I require. Similarly I have tried to catch appropriate syslog messages but again without much success.
Many thanks for any input, St.What all you have configured for radius accounting on ASA?
Can you paste the o/p of show run aaa-server and show run tunnel-group
Basically all you need to define radius server group and call that group under tunnel-group parameters.
!--- Configure the AAA Server group.
ciscoasa(config)# aaa-server RAD_SRV_GRP protocol RADIUS
ciscoasa(config-aaa-server-group)# exit
!--- Configure the AAA Server.
ciscoasa(config)# aaa-server RAD_SRV_GRP (inside) host 192.168.1.2
ciscoasa(config-aaa-server-host)# key secretkey
ciscoasa(config-aaa-server-host)# exit
!--- Configure the tunnel group to use the new AAA setup.
ciscoasa(config)# tunnel-group ExampleGroup1 general-attributes
ciscoasa(config)#accounting-server-group RAD_SRV_GRP.
Once done, you can then establish a session and check radius accounting detailed packet on ACS 5.x >> Monitoring and reports > catalog > aaa protocols > radius accounting.
In case you don't see radius accounting after following the above steps then please turn on the "debug aaa accouting and debug radius on ASA". This way we can check whether ASA is sending the accountinf session details to ACS or not.
Regards,
Jatin Katyal
- Do rate helpful posts -
Maybe you are looking for
-
What it says in the question. I bought a few songs and alot of apps and games on my lost Ipod. When i buy a new one am I going to be able to download them again with out charge?
-
Need information about different databases
Hello everyone, What is the difference between a server and a database? What is a UAT,ODS,SIM databases? please explain them in detail What is the use of synchronising 2 databases? what is a cluster in a database? Thanks Lourdes
-
Has Adobe improved the Graphs tool in Illustrator CS6?
Does anyone know whether there have been any improvements to the graphing tool in Illustrator CS6? I had thought that perhaps Adobe would be adding a graphs function to Indesign, but there has been no word of it with the CS6 release. And nobody has m
-
Please need help with RAID Manager (+)
Good day Could someone give me advice is it possible to organize RAID-5 under Solaris 5.7? I use SUN SPARC Enterprise 250 with four USCSI HDDs (Seagate 18Gb/10k). One of the hardware requirments for RAID Manager is: RAID modules with two A3x00 contro
-
I updated my laptop to the latest recommended Java update. After installing, i tested out the install by doing a java -version. Instead of executing, i got the following error: Error: could not open `C:\xml_render\java\lib\amd64\jvm.cfg' i installed