Command accounting w/ RADIUS

Similar Messages

• Does "aaa accounting commands" not support radius?

  When I issue this command:
  aaa accounting commands 15 default start-stop group myradiusgroup
  I get this error: %AAAA-4-SERVNOTACPLUS: The server-group "myradiusgroup" is not a tacacs+ server group. Please define "myradiusgroup" as a tacacs+ server group.
  No where in the documentation could I find anything saying the "commmands" accounting type is only available to tacacs+. Does aaa not support this accounting type for radius?

  Hi Red,
  The Cisco implementation of RADIUS does not support command accounting. So that's the reason you are getting that error. Please use TACACS if you want to use this.
  Regards,
  Kanwal
  Note: Please mark answers if they are helpful.

• Accounting in Radius !

  Hi all, can someone tell that can we perform accounting through radius as we can do with tacacs ? I tried doing this but kindly see below
  R1(config)#aaa accounting commands 15 default start-stop group ?
  WORD Server-group name
  tacacs+ Use list of all Tacacs+ hosts.
  In options i am not given Radius !! why is that so ? cant accounting be achieved through radius server ?

  Radius only supports start/stop accounting. Command accounting supported by tacacs.
  Regards,
  ~JG

• Command Accounting & Logging on ISE

  Hi Guys,
  Does ISE support Commands Accounting and logging on network devices.
  Thanks,
  Muayad Jallad,

  The Cisco Systems implementation of RADIUS does not support command accounting. TACACS does support it, ISE with TACACS is expected in 2.0 release which is in roadmap.

• Command accounting for SNMP config

  We can use TACACS+ and ACS to do the command accounting for EXEC shell commands executed. But what abount configuration changed by SNMP set? How to find out which OIDs set by NMS tools?
  Thanks!

  Well radius accounting is supported on ACS so if your aaa client is accounting the commands, then they will appear on ACS without problem.

• Command accounting in PIX

  Hi:
  I want to use something like "command accountig" in pix 525; I mean I want to know what commands was executed or typed by administrator.
  Somebody knows if it is possible in PIX? My pix version is 6.3.3.
  Thank you.

  I could find the following information for ver 6.2. I guess it is applicable to 6.3 too. http://www.cisco.com/warp/public/110/pix_command.shtml#accounting Basically, actual command accounting is not available. However, you can generate some sort of a record using syslog.

• Command Accounting

  Hi,
  Is there any way to enable command accounting except TACACS ?.

  Command accounting is a feature of TACACS and is not supported by any other protocol.
  Regards,
  ~JG

• Command accounting with ACS

  HOw can I achive command accounting via acs I have configured devices as below but no luck
  aaa accounting exec aaa-list start-stop group bwaaa
  aaa accounting commands 1 aaa-list start-stop group bwaaa
  aaa accounting commands 15 aaa-list start-stop group bwaaa
  aaa accounting system default start-stop group bwaaa
  any idea about it

  Hi, I am using 4.2 version appliance. I am using tacacs+ u can s below config for your reference
  aaa new-model
  aaa group server tacacs+ bwaaa
  server 10.2.6.1
  server 10.2.6.2
  ip tacacs source-interface Vlan1111
  aaa authentication login aaa-list group bwaaa local
  aaa authentication enable default group bwaaa enable
  aaa authorization exec aaa-list group bwaaa local
  aaa accounting exec aaa-list start-stop group bwaaa
  aaa accounting commands 1 aaa-list start-stop group bwaaa
  aaa accounting commands 15 aaa-list start-stop group bwaaa
  aaa accounting system default start-stop group bwaaa
  aaa session-id common
  tacacs-server host 10.2.6.1 timeout 25
  tacacs-server host 10.2.6.2 timeout 25
  tacacs-server timeout 25
  tacacs-server directed-request
  tacacs-server key cisco123

• Command Accounting on MDS

  Is Command Accounting available on MDS 9216.
  We use Command Accounting on our Catalyst Switches to capture the commands entered on the switches for auditing purposes. Entered commands on the Catalyst switches are captured on Cisco ACS server and we can see who has done what under the "TACACS Administration" logs of ACS. Is this feature available on MDS switches as well.

  Command accounting is available on the MDS platform as well. This could utilize the same TACACS+ backend you have for your Catalyst network.
  You also will have very detailed control over who has access to what commands with Roles Based Access Control.
  Dan

• Command Accounting Failure on my PIX

  Hi,
  I am configuring my PIX ver 7.2(2) for command accounting using the "aaa accounting command" command but I am not able to see any accounting information on my ACS 4.1 build 23 server!
  Although authentication for this PIX is working just fine and the accounting is also working perfectly for other IOS devices, accounting for the PIX is not giving any results when browsing to the TACACS+ administration page!!
  I am posting the PIX show-tech for your referecne!
  Appreciate your support here!
  BR,
  Haitham

  Hi Rohit,
  Thank you so much, you were absolutely right. The accounting problem was due to the bug CSCsg97429 and the problem was resolved after applying the patch: applAcs-4.1.1.23.1.zip
  Thanks,
  Haitham

• CSCtg09895 - percentMGBL-exec-3-ACCT_ERR main: command accounting failed

  Dear fellows,
  I am facing below problem in one of ASR 9010 router while configuring .  I am unable to config anything after entering any command this error shows up 
  RP/0/RSP0/CPU0:hostname(config)#interface TenGigE0/1/0/0
  RP/0/RSP0/CPU0:Jan 15 12:48:41.186 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed -  - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
  RP/0/RSP0/CPU0:(config-if)# description # TO-Remote_site
  RP/0/RSP0/CPU0:hostname(config-if)#RP/0/RSP0/CPU0:Jan 15 12:48:41.263 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed -  - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
  RP/0/RSP0/CPU0:hostname(config-if)#commit
  Thu Jan 15 12:48:50.521 IST
  RP/0/RSP0/CPU0:Jan 15 12:48:50.521 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed -  - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
  it is not allowing even to commit any change
  and unable to find any online solutions for this.
  please help
  following packages are active right now
   disk0:asr9k-doc-px-4.3.4
      disk0:asr9k-fpd-px-4.3.4
      disk0:asr9k-k9sec-px-4.3.4
      disk0:asr9k-mcast-px-4.3.4
      disk0:asr9k-mgbl-px-4.3.4
      disk0:asr9k-bng-px-4.3.4
      disk0:asr9k-mini-px-4.3.4
      disk0:asr9k-mpls-px-4.3.4

  it is a fresh installation and the device is not connnected to ny network yet. 
  I am facing below problem in one of ASR 9010 router while configuring .  I am unable to config anything after entering any command this error shows up
  RP/0/RSP0/CPU0:hostname(config)#interface TenGigE0/1/0/0
  RP/0/RSP0/CPU0:Jan 15 12:48:41.186 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed -  - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
  RP/0/RSP0/CPU0:(config-if)# description # TO-Remote_site
  RP/0/RSP0/CPU0:hostname(config-if)#RP/0/RSP0/CPU0:Jan 15 12:48:41.263 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed -  - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
  RP/0/RSP0/CPU0:hostname(config-if)#commit
  Thu Jan 15 12:48:50.521 IST
  RP/0/RSP0/CPU0:Jan 15 12:48:50.521 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed -  - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
  it is not allowing even to commit any change
  and I am unable to find any online solutions for this.
  please help
  following packages are active right now
  disk0:asr9k-doc-px-4.3.4
      disk0:asr9k-fpd-px-4.3.4
      disk0:asr9k-k9sec-px-4.3.4
      disk0:asr9k-mcast-px-4.3.4
      disk0:asr9k-mgbl-px-4.3.4
      disk0:asr9k-bng-px-4.3.4
      disk0:asr9k-mini-px-4.3.4
      disk0:asr9k-mpls-px-4.3.4
  PS: please tell what more output are needed so that this problem can be solved.

• Commands accounting.

  Hello.
  I'm using this configuration for commands accounting with Cisco Secure ACS. When the first server fails, the second AAA server doesn't report any accounting records in T+ Administration, using the broadcast keyword also.
  Many thanks for suggestions.
  Regards.
  Andrea
  aaa new-model
  aaa group server tacacs+ CiscoSecureACS
  server 10.4.44.74
  server 10.4.44.75
  aaa authentication login default group CiscoSecureACS local
  aaa authentication enable default group CiscoSecureACS enable
  aaa authorization console
  aaa authorization config-commands
  aaa authorization exec default group CiscoSecureACS local
  aaa accounting send stop-record authentication failure
  aaa accounting exec default start-stop group CiscoSecureACS
  aaa accounting commands 15 default start-stop group CiscoSecureACS
  aaa accounting connection default start-stop group CiscoSecureACS
  tacacs-server host 10.4.44.74 single-connection timeout 5
  tacacs-server host 10.4.44.75 single-connection timeout 5
  tacacs-server directed-request

  Using some debug and log I can verify that AAA server receives the accounting packet and replies but doesn't record it on file.
  Any ideas?
  Thanks.
  Andrea

• Adding Local User Account Alongside RADIUS

  Greetings!
  Currently every Cisco device authenticates with a RADIUS server we have on campus. I'm trying to add a local user account onto our switches and routers so that if the RADIUS server is unavailable or the switch looses connection we are able to use another login to access what we need. However when I add aaa authorization and authentication commands (no default) I think the switch cannot identify what is a RADIUS login and what is a local login. Depending on how we move commands around local will work and RADIUS will not, or RADIUS will work and local will not. Any suggestions on how to get both to work at the same time?
  Thanks!
  -Noah

  Perhaps I do not have a correct understanding of what you are asking. But let me explain a little and if that does not address your issue then perhaps you can provide some clarification.
  You can not have Radius and the local account work at the same time - at least not in the sense that you can login and enter either one and expect it to work. What you can do (and what most people do) is to define one as primary (usually Radius) and one as backup (usually local account). Then when you attempt to login the device will attempt to use Radius, and if the Radius server is not available then it will use the local account.
  If that does not clarify your issue then please help us understand better what your issue is.
  HTH
  Rick

• Cisco 2960-X & ISE accounting- username Radius attribute missing

  Hi,
  I'm facing an issue with cisco 2960 switch radius accounting with Cisco ISE1.2.1 .here is my senario:
  - Username (vendor1) is configured in ISE local database, under  group (VENDOR)
  - Authentication protocol : wired  MAB 
  - Authentication method : webauth  using guest portal  , the user is a  vendor  , so no dot1x configured on his NIC .
  the problem is that , the switch is not sending the username as a part of radius attribute , in the authentication log , the username shown as the MAC address of the user machine , therefor , I can not configure my authorization condition using  internaluser:Name  Equal  vendor1
  while if  I configure the condition using the identity group condition  IdentityGroup:Name  Equal  VENDOR  , it works .
  The same configuration is working on 3750 switch  with no issue .
  Here is my Switch config:
  aaa authentication login default local
  aaa authentication dot1x default group radius
  aaa authorization network default group radius 
  aaa authorization auth-proxy default group radius 
  aaa accounting auth-proxy default start-stop group radius
  aaa accounting dot1x default start-stop group radius
  aaa accounting update periodic 5
  username admin password 
  username radius-test password 
  aaa server radius dynamic-author
   client 172.16.2.20 server-key 7 04490A0206345F450C00
   client 172.16.2.21 server-key 7 03165A0F0F1A32474B10
  radius server ISE-RADIUS-1
   address ipv4 172.16.2.20 auth-port 1812 acct-port 1813
   automate-tester username radius-test idle-time 15
   key 7 111B18011E0718070133
  radius server ISE-RADIUS-2
   address ipv4 172.16.2.21 auth-port 1812 acct-port 1813
   automate-tester username radius-test idle-time 15
   key 7 0214055F02131C2A4957
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server attribute 31 mac format ietf upper-case
  radius-server attribute 31 send nas-port-detail
  radius-server dead-criteria time 5 tries 3
  radius-server vsa send accounting
  radius-server vsa send authentication
  any help  !!!

  Thanks for your reply , I know what's MAB , if you read my explanation again , i mentioned that the user is authenticated in the guest portal which mean that I have web authentication , and it is working fine .. The only issue is that I can not use the vendor1 username as part of authorization condition and this is because the switch is not sending the radius attribute type 1 to the ISE , thus , on the ise authentication log the MAC address  of the client machine is shown as a username not the actual username ( vendor1) 
  as I mentioned also , I have exactly the same setup with ise 1.2 and 3750 switch and I do not have this issue .I experience this with 2960x only . 

• Anyconnect session accounting via radius or syslog ?

  Hi
  Does anyone have a deployed accounting method to log Anyconnect session details ?  Do you do it via a radius server or via logging messages to a syslog server ?
  If so could you assist with appropriate configuration ?  I am looking to log successful and unsuccessful authentications as well as session length, log on and log off times.
  I've been playing around with Anyconnect authenticating to AD via ACS 5.1 but can't seem to get the accounting details I require.  Similarly I have tried to catch appropriate syslog messages but again without much success.
  Many thanks for any input, St.

  What all you have configured for radius accounting on ASA?
  Can you paste the o/p of show run aaa-server and show run tunnel-group
  Basically all you need to define radius server group and call that group under tunnel-group parameters.
  !--- Configure the AAA Server group.
  ciscoasa(config)# aaa-server RAD_SRV_GRP protocol RADIUS
  ciscoasa(config-aaa-server-group)# exit
  !--- Configure the AAA Server.
  ciscoasa(config)# aaa-server RAD_SRV_GRP (inside) host 192.168.1.2
  ciscoasa(config-aaa-server-host)# key secretkey
  ciscoasa(config-aaa-server-host)# exit
  !--- Configure the tunnel group to use the new AAA setup.
  ciscoasa(config)# tunnel-group ExampleGroup1 general-attributes
  ciscoasa(config)#accounting-server-group RAD_SRV_GRP.
  Once done, you can then establish a session and check radius accounting detailed packet on ACS 5.x >> Monitoring and reports > catalog > aaa protocols > radius accounting.
  In case you don't see radius accounting after following the above steps then please turn on the "debug aaa accouting and debug radius on ASA". This way we can check whether ASA is sending the accountinf session details to ACS or not.
  Regards,
  Jatin Katyal
  - Do rate helpful posts -