Tacacs+ accounting log question

Similar Messages

• TACACS accounting log

  Hi,
  I configured our switches and routers to send the accounting records to the ACS. We like this as you can see who made what changes to the device but, the ACS server is only keeping the records for one day. Where can I change the setting to increase this? I would like it to go back a year if possible.
  Also, is the ACS server the right device to be holding this info?
  Thank you.

  Hi Patrick,
  In the ACS View Reports (Monitoring & Reports >     Reports >     Catalog >     AAA Protocol) you can select the
  radio button and by selecting 'Run' on the bottom run a specific query. Without that by default you will see only a report from one day.
  For the 2nd question, yes the ACS View is designed to store that information, however if needed you can send the logs to an external syslog server or perfrom regular backups of the ACS View database.
  Kind regards,
  Pawel

• TACACS+ Accounting "Network Access Profile" name is missing

  Hello,
  I have a problem trying to export logs to the Cisco ACS View from my ACS 4.2
  In the document http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_view/4.0/user/guide/appendixA.html Cisco states that one of the mandatory attributes for export to work is "Network Access Profile Name" under TACACS+ Accounting (under ACS 4.2 System configuration -> Logging settings). Well, I don't have this mandatory attribute listed in ACS under TACACS+ accounting log configuration. I tried to ignore this attribute, but then ACS View complains about null value for the attribute mentioned above.
  Is this some bug in ACS View or ACS or maybe I simply missing something?;)
  Best Regards,
  Igor

  Cisco created a new bug for it:
  CSCtq85420
  Best Regards,
  Igor

• TACACS+ Accounting Question

  Dear all,
  I would like to know TACACS+ accounting option in cisco.
  We deployed AAA machine which is Avenda in our operation network and able to capture accounting commands ONLY for valid commands. Does the TACACS+ also can capture invalid commands and send to Avenda (Our AAA machine) ?
  Please help to clarify.

  Hi,
  This is something device specific. In case of IOS it forwards only valid commands to tacacs server. Example- If we issue command "show user" it will log it and if we issue command "show dog" it will not be logged.
  Hope that helps!
  Regards,
  ~JG
  Do rate helpful posts

• Is it possible to have 3 email accounts logged into iCloud at the same time?

  At the moment, I can only have one logged in all the time (via the iCloud homepage), and if I want to check another email address (all mac.com addresses), I have to log off and log back in again with the password.

  Becky, are you asking about the icloud.com website or Mail on your Mac?
  Winston's answer is appropriate if you meant Mail on your Mac, a reasonable assumption since you posted the question in the "iCloud on my Mac" forum rather than the "icloud.com" forum.
  If you meant to ask if you can have multiple accounts logged into the icloud.com webmail (as seems likely from your use of the phrase "via the iCloud homepage", I think you cannot do that in the same browser instance. You probably can do it by having separate browser instances on diferent accounts on your Mac or in diferent browsers (e.g., one in Safari, one in Firefox, one in Chrome). I have not tested that, however.

• No TACACS+ Administration Logging on ACS

  I can get a csv file created for a TACACS+ Administration log/report [configured in Interface Logging of the ACS] but that log file is is empty. Help states that aaa accounting commands start-stop TACACS+ must appear in the access server or router configuration file in order to capture this day but my ASA 5520 will only allow;
  aaa accounting command <server group> or <privilege>.
  How do I get this ASA and Windows ACS to collect TACACS+ administration?
  Note: My TACACS+ accounting does collect data on users ssh into the ASA.

  It's quite possible that you might be experiencing a know bug ( CSCsg97429 ) in ACS version 4.1.
  Get this Patch: Acs-4.1.1.23.5-SW.zip. It fixes the TACACS+ Administration log/report problem.
  You rigth in regards to the command. It is needed for your NAS to send accounting information to the ACS.
  Here's an example of the commands:
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  Hope it helps.

• ACSv5.1, lack of clarity on radius accounting logs

  Hi,
  We are using an ACS 5.1 for remote VPN customers for radius authentication and accounting purposes.
  When I check the radius accounting logs, there are certain entries that do not make sense to me.
  For instance, there are certain Accounting session ids (refer 'Acct_Session_Id') with only a STOP record. But I do not see a START record corresponding to the session id. I am able to see many such entries.
  Can anybody throw some light on this information??
  Note - The customer environment consists of remote users who try to access the central NAS using IPSec. Requests that come to the NAS get directed to the ACS for AAA purposes.
  Also provided are some sample ACS logs [refer highlighted section]
  Regards,
  Abishek

  Hi welshydragon,
  The Openreach Superfast Fibre Broadband rollout is still in it's early stages and the plans are always being added too. 
  So your exchange may be added to the rollout plans later in the future. 
  The build of the fibre broadband infrastructure isn't always easy and can be very complex, so needs a lot of planning to start with and can take some time. Go to http://superfast-openreach.co.uk/the-big-build/ for information on the build.
  You can register your interest for Fibre Broadband such as BT Infinity by going to http://www.superfast-openreach.co.uk/expression-ge​n.aspx
  Unfortunately BT Retail (a communication provider/ISP who operates this forum) does not have much say as to when and if you will be able to get FTTC or FTTP/H based broadband such as BT Infinity.
  I also take it from your username that you live in Wales. If this is correct then see below.
  If you live in Wales, then the Welsh Government has recently started to plan the development of Superfast Fibre broadband in Wales.
  You may want to have a look at The Welsh Government Next Generation Broadband Wales Scheme-(Click Here To View) and Here
  Also the http://superfast-cymru.com website has only just become online and will give information about the Openreach Superfast Fibre broadband rollout in Wales.
  **The Fibre-Optic Broadband Rollout is being managed and done by Openreach for all communication providers/ISPs.
  BT Retail (a communication provider/ISP) has nothing to do with the rollout of fibre broadband.**
  Hope that helps,
  Cheers
  jac_95 | BT.com Help Site | BT Service Status
  Someone Solved Your Question?
  Please let other members know by clicking on ’Mark as Accepted Solution’
  Try a Search
  See if someone in the community had the same problem and how they got it resolved.

• Tacacs+ Administration log Auditing

  Hello ,
  I am working as internal Auditor in Bank and i am having doubts about something on the logs generated by TACAS+ looking for someone assist on this.
  My cocern is about Firewall changes which triggered on the Tacacs+ Administration, It shows you in terms of adding an IP address as Source to specifc group ( objects) as destination. What if I need more details about the destiation objects prviliages which I am adding this source to ,how can i identify these changes?

  Hi Mahmoud,
  You can send accounting messages to the TACACS+ accounting server when you enter any command other than show commands at the CLI.
  To enable command accounting, enter the following command:
  hostname(config)# aaa accounting command [privilege level] server-tag
  and you do have this command in your configuration. Now if command accounting is not working in your case then you need to tell me what version of Cisco ACS are you running on, if it is ACS 4.1.1.23 then there is a defect that has been fixed in patc 5
  The issue that you are facing could be due to,
  CSCsg97429 - TACACS+ Command Accounting does not work in ACS 4.1(1) Build 23.
  aaa-server AuthOutbound protocol tacacs+
  aaa authentication http console LOCAL
  aaa authentication enable console TACACS+
  aaa authentication serial console TACACS+
  aaa authentication ssh console TACACS+
  aaa authorization command TACACS+
  aaa accounting command TACACS+
  How to configure command accounting on ASA
  http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mgaccess.html#wp1059882
  Hope this helps.
  Let me know if you need further help on this.
  Regards,
  Jatin
  Do rate helpful posts~

• NCS TACACS accounting via ACS

  If I choose to authenticate NCS users through Cisco ACS (5.4 in this instance) via TACACS, do I still have the ability to do accounting to track what changes they have made?  I'm not getting anything in the TACACS accounting reports and I don't see anywhere to configure TACACS for accounting within NCS gui like I can on a WLC.  I know that NCS has an internal audit trail but if a users account is both a local account on NCS as well as an account being authenticated through ACS does the Audit trail on NCS for that local user still contain the information about changes the user made?  I ask because it looks like it does but I want to make sure I'm not going mad.  Here is my example:
  Local account username:  NCS_Admin2
  AD account via TACACS username:  NCS_Admin2
  Audit trail for the NCS_Admin2 account on NCS looks like changes are being logged to NCS even though the user is logging in with their AD credentials via TACACS.
  I know that is probably as clear as mud.
  Thanks.
  Todd

  User is authenticated with TACACS
  NCS_Admin2
  NCS.customerdomain.local
  2013-Mar-05, 10:18:30 EST
  2013-Mar-05, 11:22:36 EST
  TACACS+
  Admin 

• Regarding Tacacs+ Accounting

  Dear All,
  This is regarding Tacacs+ accounting. We have Cisco ACS server 4.2 for AAA. I want to configure accounting in such a way that I should get the reports containing what are the commands used by user after successfully logged in into the route. Currently I am getting reports containing IN and OUT time , who was the user etc. So what to change if I want all the commands used by user on the router after logged in?
  Thanks,
  Abhisar.

  hi,
  You will have to configure command authorization for that and then the command accounting.
  following link throws some light on it.
  http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/mgaccess.html#wp1059882
  Hope this helps.
  Regards,
  Anisha
  P.S.: please mark this post as answered if you feel your query is answered. Do rate helpful posts.

• Config the TACACS+ Accounting attributes

  hi,
  the ACS4.1 as AAA server using TACACS+ ,the customer wants to record the command they used when they loggined the AAA client ,how to config the TACACS+ Accounting attributes ?

  These commands will perform accounting records whenever a level 0,1,15 command is used
  This is logged to the
  "Reports and Activities" -> "TACACS+ Administration"
  aaa accounting commands 0 default start-stop group tacacs+
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+

• When i Log into instagram it say my account  is disable but when i log in on another iphone my instagram account log's in. when i try logging into another account it continue to say disable. Why cant i log into instagram or make another one on my iphone?

  When i Log into instagram it say my account  is disable but when i log in on another iphone my instagram account log's in. When i try logging into another account on my phone it continue to say disable. i also tried to make a new instagram on my phone but it wont let me. i deleted the app over and over again but it still wont let me log into any instagram account. Why cant i log into instagram or make another one on my iphone?
  Is is=t possable to have your phone banned from a app forever???
  HELP !!

  I just asked the same thing and did some research. Some people have said  that the UDID code is like banned from instagram, but your account isn't. I'm able to use it on my phone but not on my iPod.

• Radius Authentication - Reauthentication via Accounting logs

  Hi,  we'r working on a scenario like this;
  Client logs in to an WLAN via dot1x authentication, though we want to be able to disable re-authentication of the client on the radius when the session-timeout is reached. We also need the accounting logs to make sure that we can also kill the session if a certain traffic limit is reached. (WiSM-1 , 7.0.116 code)
  The thing is that, whenever the session timeout occurs(that we set manually on the wlan), the client re-authanticates automatically and we can see access-requests and stuff though in terms of status we only see an "interim-update" accounting package in the radius thus unable to take action.  The controller also uses PMK lifetime instead of the session-timeout we set which, I suppose, is derived fromt he session-timeout and some other timers as well. How do we get an accouting log when the session-timeout is reached thus the client needs to reauthenticate? (or how do we differentiate it actually, since we already see a log but its just an interim-update log)
  WLC fires this when the PMK timeout is triggered.
  15:23:35.224: ec:35:86:95:14:5e Initiating 802.1x due to PMK Timeout Event for STA.....15:23:35.562: ec:35:86:95:14:5e Setting re-auth timeout to 300 seconds, got from WLAN config.15:23:35.562: ec:35:86:95:14:5e Station ec:35:86:95:71:5e setting dot1x reauth timeout = 300...15:23:35.563: ec:35:86:95:14:5e Disabling re-auth since PMK lifetime can take care of same.
  after the negotiation part(which is also not enough to make differentiation); radius gets this.
  15:23:35.588: P6231982: Trace of Accounting-Request packet...15:23:35.592: P6231982:    Acct-Status-Type = Interim-Update
  Is there a way to enforce a session-timeout and make sure that the client will not re-auth automatically after this timeout and get and appropriate radius log?. PS: PMK cannot be disabled before 7.2 and WiSM-1 doesn't support that.
  Thanks a lot for your responses in advance
  Regards,
  A.

  Hey Scott, thanks for the tip.
  The thing is, after an idle-timeout expires, I can see a stop accouting log at the radius side.
  But after a session-timeout expires, I can only see an (re)authentication (without any start of course) and an interim-update log which gives no clue if this is a normal interim update or its sent because of the session-timeout. How am I to find which interim-update means a re-auth because of a session-timeout? or is it possible to make it send another accounting log to help me mark the session end?
  Regards,
  A.

• I forgot my account security questions. How do I retrieve them?

  I forgot my account security questions. How do I retrieve them?

  1)  Apple ID: All about Apple ID security questions
  If necessary
  2)  See Here... ask to speak with the Account Security Team...
  Apple ID: Contacting Apple for help with Apple ID account security
  3)  Or Email Here  >  Apple  Support  iTunes Store  Contact

• Basic log question

  Just trying out backintime. I put it in crontabs and append to a log file. So far so good, but I don't get time or date of the last entry. Here the crontab entry:
  */45 * * * * backintime -b >>/tmp2/backintime/messages.log
  Question: Do I have to fiddle around with the code of backintime to get more info or can I do something in the crontab entry?

  > Hm, comparing stuff takes a long time
  <gasp> With rsync if you don't change the contents much it shouldn't take more than a minute ... If you have a million tiny files it may take more but I guess you would like your backups to run perfectly, so you'd better check what's wrong.
  BTW: Although Dillon's cron supports 'every n minutes' you may want to check '45 * * * *'. Are you using the "stock" Arch cron or some other one?
  Last edited by karol (2009-12-18 15:37:02)