Missing aaa accounting commands
Hi,
I might be being REALLY STUPID, but I am trying to config a 12.3 IOS router to send command accounting records to an ACS 3.3 server via RADIUS.
When a input the 'aaa accounting commands 15 default group radius' command, it is accepted by the router, but show the config, and its not there. This is the same for all command levels. This router is logging VoIP accounting records too, to the same RADIUS box, without problems.
Have I missed somthing about setting up AAA ?
Grateful for any help!
Thanks
Pete Moore
Even if IOS did support it, the format of any RADIUS cmd accounting will be inferior for a couple of reasons
1) The ACS TACACS+ reports are totally geared up for this with pre-defined columns for each T+ attrbute.
2) ACS has a dedicated cmd accounting report which splits out cmds from sessions
3) To package in RADIUS, IOS would have to create many cisco-av-pair VSA instances. In the RADIUS accounting logs these will all be compressed into a single column of the format
"attr1=value1;attr2=value2;..."
Depending on what you want to do with the data this format is quite restrictive.
My advice is to enable TACACS+
Darran
Similar Messages
-
Question about usage of aaa accounting commands
Hi everyone,
I have the problem that Cisco routers and switches do not send some accounting command
information to ACS.
Accounting commands do not send to ACS are "show log" and "show version".
Accounting commands send to ACS are "show runn", "conf t" and "debug"
The configuration of routers and switches is the following
aaa new-model
aaa authentication login default group tacacs+ line
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
tacacs-server host xxx.xxx.xxx.xxx key yyyy
I think the commands do not send to ACS are privilege level 1 command and the commands
send to ACS are privilege level 15 command.
So I need to additional aaa accounting command below to get routers and switches send level 1
command to ACS, because the "15" of "aaa accounting commands 15" does not include level 1
so need to configure "aaa accounting commands 1" for level 1 commands.
aaa accounting commands 1 default start-stop group tacacs+
Is my understanding correct ?
Your information would be greatly appreciated.
Best regards,Hi,
plese do this and the router will send
everything to the ACS server, except
whatever you are doing to the router in http:
aaa new-model
aaa authentication login notac none
aaa authentication login VTY group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec notac none
aaa authorization exec VTY group tacacs+ if-authenticated none
aaa authorization commands 0 VTY group tacacs+ if-authenticated none
aaa authorization commands 1 VTY group tacacs+ if-authenticated none
aaa authorization commands 15 VTY group tacacs+ if-authenticated none
aaa authorization network VTY group tacacs+ if-authenticated none
aaa accounting exec VTY start-stop group tacacs+
aaa accounting commands 0 VTY start-stop group tacacs+
aaa accounting commands 1 VTY start-stop group tacacs+
aaa accounting commands 15 VTY start-stop group tacacs+
aaa accounting network VTY start-stop group tacacs+
aaa accounting connection VTY start-stop group tacacs+
aaa session-id common
ip http authentication aaa login-authentication VTY
ip http authentication aaa exec-authorization VTY
tacacs-server host 192.168.15.10 key 7 1446405858517C
tacacs-server directed-request
line con 0
exec-timeout 0 0
authorization exec notac
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
logging synchronous
login authentication notac
line aux 0
session-timeout 35791
exec-timeout 35791 23
authorization exec notac
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
login authentication notac
transport input all
line vty 0
exec-timeout 0 0
authorization commands 0 VTY
authorization commands 1 VTY
authorization commands 15 VTY
authorization exec VTY
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
login authentication VTY
David
CCIE Security -
Enable aaa accounting commands for all privilege levels?
Here is the command's syntax:
aaa accounting {auth-proxy | system | network | exec | connection | commands level} {default | list-name} {start-stop | stop-only | none} [broadcast] group groupname
The "command" accounting type must include the privilege level of the commands you are logging. How do I log ALL commands?
Take the following example:
aaa accounting commands 15 default start-stop group mygroup
If I issue this command will that mean commands the user executes that have a privilege level lower than 15 will not be logged? Or only commands that require exactly privilege level 15 will be logged?
How can I log all commands regardless of privilege level?Hi Red,
If you customize the command privilege level using the privilege command, you can limit which commands the appliance accounts for by specifying a minimum privilege level. The security appliance does not account for commands that are below the minimum privilege level.
The default privilege level is 0. So if you don't specify any privilege level then all should be accounted for.
You can find the command detail at. This is for ASA though.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/command/reference/cmd_ref/a1.html#wp1535253
Regards,
Kanwal
Note: Please mark answers if they are helpful. -
I have just started logging AAA accounting commands on my ACS. I am able to view all commands entered without any trouble. I would like to NOT see commands entered from one particular source. I have an IDS device that shuns to a router. The shunning frequency causes the ACS TACACS+ admin report to become full and unusable. Any ideas on how to exempt commands issued by the IDS?
I have considered setting up multiple vty line configurations. Set up a vty 0 0 and vty 1 4. Configure the vty 0 0 to use something other than the 'default' AAA group. This, of course, assumes that the IDS will always use vty 0 and everyone else will use vty 1 - 4.
Thanks, RickGive extraxi aaa-reports! a try (free trial version available)
We offer loads of great canned reports for device admin.. and more importantly you can filter out stuff you dont want during import.
Once the CSVs are imported we also have a visual query builder for drilling down into your data - with the results exportable to word/excel/html etc.
Our csvsync utility can also harvest CSV logs from any number of ACS servers of any version and type (sw & appliance)
We are a Cisco Technology Partner and aaa-reports! is tested "Cisco Compatible"
Darran -
Question on AAA accounting command?
Is AAA command “aaa accounting commands 15 default start-stop group” just for tacacs+ groups and not for radius?
jjohnston1127 answered correctly. Command authorization and command accounting are only supported by the tacacs protocol.
You will not even see an option for radius.
jkatyel(config)#aaa accounting commands 15 default start-stop gr
jkatyel(config)#aaa accounting commands 15 default start-stop group ?
WORD Server-group name
tacacs+ Use list of all Tacacs+ hosts.
Accounting supported by radius
https://tools.ietf.org/html/rfc2866
Regards,
Jatin Katyal
*Do rate helpful posts* -
Does "aaa accounting commands" not support radius?
When I issue this command:
aaa accounting commands 15 default start-stop group myradiusgroup
I get this error: %AAAA-4-SERVNOTACPLUS: The server-group "myradiusgroup" is not a tacacs+ server group. Please define "myradiusgroup" as a tacacs+ server group.
No where in the documentation could I find anything saying the "commmands" accounting type is only available to tacacs+. Does aaa not support this accounting type for radius?Hi Red,
The Cisco implementation of RADIUS does not support command accounting. So that's the reason you are getting that error. Please use TACACS if you want to use this.
Regards,
Kanwal
Note: Please mark answers if they are helpful. -
Aaa accounting commands levels
Hello,
I am confused on aaa accounting. If I wish to account all commands and the levels I have configured are say 5 and 15, do I need to include level 0 in my aaa accounting commands?Hello,
By default on IOS devices we have three commands distributed over three privilege levels i.e.,
Level 0
Level 1, and
Level 15.
If you explicitly donot change the privilege level of command(s), then only commands that you require to enter in an IOS device to monitor all commands executed over device is:
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
I have defined TACACS+ as the as the accounting server, as it jells best for adminstrative purposes i.e. Shell Command authorization
Let me know if this clarifies your doubt :) -
AAA Radius accounting command is not taking in 3750 switch
Hi Cisco Support community,
I am facing a issue with radius accounting in Cisco 3750 switch with version 12.2. I am unable to start accounting for radius server.
This is the config that is on the switch for Radius.
aaa authentication login default group radius local
aaa authentication dot1x default group radius
aaa authorization exec my-authradius group radius if-authenticated.
radius-server attribute 6 on-for-login-auth
radius-server dead-criteria time 20 tries 5
radius-server host 10.100.1.225 auth-port 1645 acct-port 1646 key 7 14341A5801103F3904266021
radius-server host 10.100.1.226 auth-port 1645 acct-port 1646 key 7 05280E5C2C585B1B390B4406
When i try to add the following command for accounting, this is not saving.
(aaa accounting commands 0 default start-stop group radius
aaa accounting commands 1 default start-stop group radius
aaa accounting commands 15 default start-stop group radius)
If i do paste this command one by one after start-stop group it is showing only two options either tacacs+ or server, no radius option is there as well.
I tried to create a server group and add the radius server in the group. Even then when i am trying to implement the aaa accounting command with the server command it is not showing in show run.
Can anyone please help me with this issue.Hi,
thanks for your reply but the thing is that i want to see the command that are being run by a user on this particular device. If i use the network command it will only show me the network-related service requests, including Serial Line Internet Protocol (SLIP), PPP, PPP Network Control Protocols (NCPs), and AppleTalk Remote Access Protocol (ARAP).
I have read the document from this link and it is stating that we can use command accounting. Below is the link
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a1.html.
Can anyone please tell me if this a version issue because even in version 15.4 i was not seeing the radius option in the end
aaa accounting commands 15 default start-stop group (radius)- in radius place it was showing only Tacacs+ or group. -
Aaa accounting for config-mode commands
How to account commands entered in config-mode via TACACS+ ?
aaa accounting commands 15 default start-stop group tacacs+
does accounting for all commands in privilege level 15.
Best Regards
CarstenCarsten
I am not clear what your question is. From the title I gather that you are looking for a way to have accounting records for commands entered in config mode. The answer to the question is to enable accounting for level 15 commands which include the config commands. All of which is included in your message. So what is the question?
If the question is how to get just the config commands without all the other level 15 commands I am not aware of any way to get just the config commands.
HTH
Rick -
What is the main funtion of Accounting commands
Hi,
Can any one tell me that,
what is the main funtion of below commands in TACACS
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+aaa accounting exec default start-stop group tacacs+
!--- Log the start and stop of EXEC session to the device. When the user logged in and when the user logged out. Total time spent.
aaa accounting commands 1 default start-stop group tacacs+
!--- Account/Log all the commands executed by the user, that are at privilege level 1.
aaa accounting commands 15 default start-stop group tacacs+
!--- Account/Log all the commands executed by the user, that are at privilege level 15.
aaa accounting system default start-stop group tacacs+
!--- Send the log to the Tacacs server about the system events (reboot etc..)
More details,
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a1.html#wp1038916
Regards,
Prem
Please rate if it helps! -
hi guys , i m facing this strange problem kindly check the config below
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa accounting update periodic 1
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common
tacacs-server host x.x.x.x key abcdse
ip tacacs source-interface fas 0/0
now everything was working fine but a strange issue has been arrised, when i check the tacacs administration report it just shows me log upto 4 rows and no more !!! like see if i have done this configuration on router
config t
int lo 0
ip add 20.0.0.1 255.0.0.0
int lo 1
ip add 30.0.0.1 255.0.0.0
now when i check the accouting report ( administration report ) it just shows me the first 4 commands
config t
int lo 0
ip add 20.0.0.1 255.0.0.0
int lo 1
thats it !!! why is this so ?? any 1 has any idea why is this happening
thanksI would use the following:
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa accounting resource default start-stop group tacacs+
aaa accounting resource default start-stop group tacacs+
CCIE Security -
Accounting Command for Configuration Changes
Hi All,
i want the logs of command 0r configuration changes made in ROuters or Switches to ACS 4.1,
like the following
Wed Jun 27 03:46:47 2001 172.16.25.15 fgeorge tty3 5622329430/4327528 stop
task_id=3 service=shell priv-lvl=1 cmd=show version <cr>
the above is found in the Command Accounting of the Link
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfacct.html#wp1000976Anand
The information that you need about how to configure this is not so good in the link that you posted. But it is not difficult to configure. I use the following line in configuration of routers and get the accounting records in ACS for all privilege level commands including any configuration commands.
aaa accounting commands 15 default start-stop group tacacs+
You might want to change some details (like tacacs+) depending on how your routers are configured to talk to ACS.
HTH
Rick -
AAA accouting (commands information)
hi,
Currently i am using aaa accouting for 3560 switches with ACS4.1 solution engine. I want to log the IOS commands entered. I have chosen the "cmd" and "cmd-arg" field in the CSV and syslog (tacacs+ accounting), these field are empty (..) when the csv record is seen on the ACS server and syslog server. Can some body tell how i can log the commands entered after the authentication with ACS is successful.
Regards
NareshNaresh,
Command accounting only works with tacacs and not with radius. Make sure we are using tacacs.
Here are the command you need on IOS
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 aaa-list start-stop group tacacs+
aaa accounting commands 15 aaa-list start-stop group tacacs+
These logs are stored in tacacs administration report, so make sure you are checking the correct head.
Still it is not working then check acs code. Incase it is 4.1.1 then you need to apply patch 5 to fix it.
To download patch for appliance,
http://www.cisco.com/cgi-bin/tablebuild.pl/acs-soleng-3des
For windows
http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-3des
Regards,
~JG
Do rate helpful posts -
Aaa authorization commands for pix 535
Hi ,
Can you provide aaa authorization commands for pix 535
Sanjay Nalawade.Hi,
Please find the AAA config for PIX.
aaa-server TACACS+ protocol tacacs+
max-failed-attempts 5
aaa-server TACACS+ (ExranetFW-In) host
timeout 5
key ********
aaa authentication enable console TACACS+ LOCAL
aaa authentication serial console TACACS+ LOCAL
aaa authentication http console TACACS+ LOCAL
aaa authentication ssh console TACACS+ LOCAL
aaa authorization command LOCAL
aaa accounting command privilege 15 TACACS+
aaa authorization exec authentication-server
Karuppuchamy -
AAA issue ( command authorization failed)
I am getting the issue, and following is the script , cannot find and locate the cause of error !
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname hexxor
boot-start-marker
boot-end-marker
enable secret 5 $1$Y.Nt$aZ9/2rl2DMbEnSGJVqmln1
enable password 7 0525112F05411F075231123E
username hexxor password 7 024D2A103F26243363593D1C2B5C
aaa new-model
aaa authentication login T-AUTH group tacacs+ local
aaa authorization console
aaa authorization config-commands
aaa authorization exec T-AUTHOR group tacacs+ if-authenticated
aaa authorization commands 15 T-AUTHOR group tacacs+ if-authenticated
aaa accounting exec T-ACC start-stop group tacacs+
aaa accounting commands 15 T-ACC start-stop group tacacs+
interface Vlan1
no ip address
interface Vlan50
ip address 128.1.50.54 255.255.255.0
no ip route-cache
ip default-gateway 128.1.50.254
no ip http server
ip http secure-server
ip sla enable reaction-alerts
logging trap debugging
logging 10.241.40.20
logging 128.1.50.245
access-list 1 permit 128.1.50.245
snmp-server host 10.241.40.27 Armageddon
snmp-server host 128.1.50.245 Armageddon
tacacs-server host 10.241.40.22
tacacs-server host 10.241.40.23
tacacs-server directed-request
tacacs-server key 7 020813480E052F2E4D
line con 0
exec-timeout 5 0
password 7 1142374E2332201E2B3D1F210678
authorization commands 15 T-AUTHOR
authorization exec T-AUTHOR
accounting commands 15 T-ACC
accounting exec T-ACC
login authentication T-AUTH
transport preferred none
line vty 0 4
exec-timeout 5 0
password 7 06281801684358174E231727
authorization commands 15 T-AUTHOR
authorization exec T-AUTHOR
accounting commands 15 T-ACC
accounting exec T-ACC
login authentication T-AUTH
transport input telnet
transport output telnet
line vty 5 15
password 7 0228137B2F0B5E2F077A0C35
endBased on what I think I understand in this reply it appears that the problem is caused in the named authorization method of T-AUTHOR. This named method sends an authorization request to the TACACS server. So it appears that the TACACS server is not authorizing the commands that you enter.
I would suggest this as a first test:
- login to the device.
- go into enabl mode.
- attempt the show run command. (I assume that it will fail)
- check on the TACACS server. look in the logs for indications of how it processed the request and why it did not authorize it.
If you want to do a second test to verify the cause of the problem then I would suggest this:
- remove from the config these lines
aaa authorization exec T-AUTHOR group tacacs+ if-authenticated
aaa authorization commands 15 T-AUTHOR group tacacs+ if-authenticated
then login to the device, go into enable mode, attempt the show run command
Try one or both of these tests and post back to tell us of the results.
HTH
Rick
Maybe you are looking for
-
What applications are included in Adobe Photoshop CS6 Extended? Is it just PS?
Hello, is "Photoshop CS6 Extended" , a suite of applications or just Photoshop with the extended features? Thanks for any help that is offered.
-
I am on unlimited usage, but still like to use the Broadband monitor to measure my useage. But today on checking, I got a page which says because I'm on unlimited I can't look at my usage. Why? How can I get at the figures?
-
Veritas VxVM demo license expired
Hi, Anyone knows or tested what will happen when VxVM license demo expired? And what happen if the server was rebooted with rootdisk under vxvm control. Thanks for your help.
-
Finding free applications online
Hi all, Where can I find some free applications online? I don't need applets, but free standalone applications. While browsing Google I figured there are thousands of directory archives for other programming languages such as VB and C, but I found no
-
I can't figure out how to attach a picture to a post.
Some times it would just be easier to answer a question with a screenshot. I've noticed some pictures in posts but can't figure out how to do it. Thank you.