TACACS Command accounting

Similar Messages

• TACACS + Command Logging Problems

  All,
  Working on a problem that I'm having getting command logging setup for my switch / router infrastructure.  Below is my config, authentication is working, both console & SSH.  Authorization is also working.  Some of my accounting features are working, like successful TACACS+ logins, but all my command logging features are not working properly.
  I'm currently running ACS V4.1.  Also, what is the difference between using named auth / accounting lists, and the default?  Is it just that I need to apply them to certian interfaces, where the default is applied to all interfaces?
  Configs:
  aaa new-model
  aaa authentication login SSH group tacacs+ local
  aaa authentication login CONSOLE local
  aaa authorization console
  aaa authorization exec CONSOLE local
  aaa authorization exec SSH group tacacs+
  aaa authorization network CONSOLE local
  aaa authorization network SSH group tacacs+
  aaa accounting exec SSH start-stop group tacacs+
  aaa accounting commands 0 SSH start-stop group tacacs+
  aaa accounting commands 1 SSH start-stop group tacacs+
  aaa accounting commands 15 SSH start-stop group tacacs+
  aaa accounting network SSH start-stop group tacacs+
  access-list 1 permit X.X.56.0 0.0.0.255
  tacacs-server host X.X.X.X key XXXXXXXXXXXXX
  tacacs-server timeout 30
  tacacs-server directed-request
  control-plane
  line con 0
  session-timeout 10
  authorization exec CONSOLE
  login authentication CONSOLE
  line vty 0 4
  session-timeout 10
  access-class 1 in
  authorization exec SSH
  accounting commands 0 SSH
  accounting commands 1 SSH
  accounting commands 15 SSH
  accounting exec SSH
  login authentication SSH
  transport input ssh
  line vty 5 15
  session-timeout 10
  access-class 1 in
  authorization exec SSH
  accounting commands 0 SSH
  accounting commands 1 SSH
  accounting commands 15 SSH
  accounting exec SSH
  login authentication SSH
  transport input ssh
  Any help is appreciated.
  Thanks!
  Jon

  This looks fine:
  3d22h: AAA/ACCT(00000034): Accounting method=tacacs+ (TACACS+)
  3d22h: TPLUS: Queuing AAA Accounting request 52 for processing
  3d22h: TPLUS: processing accounting request id 52
  3d22h: TPLUS: Sending AV task_id=114
  3d22h: TPLUS: Sending AV timezone=UTC
  3d22h: TPLUS: Sending AV service=shell
  3d22h: TPLUS: Sending AV priv-lvl=15
  3d22h: TPLUS: Sending AV cmd=write memory
  3d22h: TPLUS: Accounting request created for 52(testusr)
  3d22h: TPLUS: using previously set server X.X.X.X from group tacacs+
  3d22h: TPLUS(00000034)/0/NB_WAIT/36C23C0: Started 30 sec timeout
  3d22h: TPLUS(00000034)/0/NB_WAIT: socket event 2
  3d22h: TPLUS(00000034)/0/NB_WAIT: wrote entire 115 bytes request
  3d22h: TPLUS(00000034)/0/READ: socket event 1
  3d22h: TPLUS(00000034)/0/READ: Would block while reading
  3d22h: TPLUS(00000034)/0/READ: socket event 1
  3d22h: TPLUS(00000034)/0/READ: read entire 12 header bytes (expect 5 bytes data)
  3d22h: TPLUS(00000034)/0/READ: socket event 1
  3d22h: TPLUS(00000034)/0/READ: read entire 17 bytes response
  3d22h: TPLUS(00000034)/0/36C23C0: Processing the reply packet
  3d22h: TPLUS: Received accounting response with status PASS
  On ACS, look in the log directories for the CSTacacs and CSLog services, and find the entries corresponding to the above.
  Incidentally, you may want to make the timestamps on the router be datetime rather than uptime, it makes it esaier to correlate logs.
  service timestamp debug datetime localtime msec
  service timestamp log datetime localtime msec

• Command accounting w/ RADIUS

  Not having much luck getting this to work and searching the forums here everybody seems to say it is not possible unless TACACS+ is used. Is this still the case? I see the AAA/ACCT/CMD in the debug on the local switch but the RADIUS server never receives the data string except for the authentication entry.
  Any way to re-classify the AAA/ACCT/CMDs and send in a syslog trap/log?
  Looking for creative solutions here, TACACS+ is not available in this case.
  Thanks

  Hi,
  Unfortunately you can not log any AAA information to syslog.
  Now you may ask why IOS CLI allows to configure command accounting via RADIUS when it is not supported. Well, this is indeed an IOS caveat which is described in CSCdp57020 'parser should not show radius as an aaa accounting commands option' and resolved in 12.2 based IOS trains (ref. Bug Toolkit on Cisco.com).
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?caller=pluginredirector&method=fetchBugDetails&bugId=CSCdp57020
  Regards,
  ~JG
  Do rate helpful posts

• Command Accounting & Logging on ISE

  Hi Guys,
  Does ISE support Commands Accounting and logging on network devices.
  Thanks,
  Muayad Jallad,

  The Cisco Systems implementation of RADIUS does not support command accounting. TACACS does support it, ISE with TACACS is expected in 2.0 release which is in roadmap.

• Command accounting for SNMP config

  We can use TACACS+ and ACS to do the command accounting for EXEC shell commands executed. But what abount configuration changed by SNMP set? How to find out which OIDs set by NMS tools?
  Thanks!

  Well radius accounting is supported on ACS so if your aaa client is accounting the commands, then they will appear on ACS without problem.

• Command Accounting

  Hi,
  Is there any way to enable command accounting except TACACS ?.

  Command accounting is a feature of TACACS and is not supported by any other protocol.
  Regards,
  ~JG

• Command accounting with ACS

  HOw can I achive command accounting via acs I have configured devices as below but no luck
  aaa accounting exec aaa-list start-stop group bwaaa
  aaa accounting commands 1 aaa-list start-stop group bwaaa
  aaa accounting commands 15 aaa-list start-stop group bwaaa
  aaa accounting system default start-stop group bwaaa
  any idea about it

  Hi, I am using 4.2 version appliance. I am using tacacs+ u can s below config for your reference
  aaa new-model
  aaa group server tacacs+ bwaaa
  server 10.2.6.1
  server 10.2.6.2
  ip tacacs source-interface Vlan1111
  aaa authentication login aaa-list group bwaaa local
  aaa authentication enable default group bwaaa enable
  aaa authorization exec aaa-list group bwaaa local
  aaa accounting exec aaa-list start-stop group bwaaa
  aaa accounting commands 1 aaa-list start-stop group bwaaa
  aaa accounting commands 15 aaa-list start-stop group bwaaa
  aaa accounting system default start-stop group bwaaa
  aaa session-id common
  tacacs-server host 10.2.6.1 timeout 25
  tacacs-server host 10.2.6.2 timeout 25
  tacacs-server timeout 25
  tacacs-server directed-request
  tacacs-server key cisco123

• Command Accounting on MDS

  Is Command Accounting available on MDS 9216.
  We use Command Accounting on our Catalyst Switches to capture the commands entered on the switches for auditing purposes. Entered commands on the Catalyst switches are captured on Cisco ACS server and we can see who has done what under the "TACACS Administration" logs of ACS. Is this feature available on MDS switches as well.

  Command accounting is available on the MDS platform as well. This could utilize the same TACACS+ backend you have for your Catalyst network.
  You also will have very detailed control over who has access to what commands with Roles Based Access Control.
  Dan

• Command Accounting Failure on my PIX

  Hi,
  I am configuring my PIX ver 7.2(2) for command accounting using the "aaa accounting command" command but I am not able to see any accounting information on my ACS 4.1 build 23 server!
  Although authentication for this PIX is working just fine and the accounting is also working perfectly for other IOS devices, accounting for the PIX is not giving any results when browsing to the TACACS+ administration page!!
  I am posting the PIX show-tech for your referecne!
  Appreciate your support here!
  BR,
  Haitham

  Hi Rohit,
  Thank you so much, you were absolutely right. The accounting problem was due to the bug CSCsg97429 and the problem was resolved after applying the patch: applAcs-4.1.1.23.1.zip
  Thanks,
  Haitham

• TACACs+ commands not dropping me into enable mode

  Hi All,
  I've just comfigured the following on a router running IOS 15. All my other devices are running the old tacacs commands but thought I'd try the new CLI version.
  It works, e.g get prompted for username/password and authenticates against our AD Server (integrated with ACS4.2). I get into the router but into usermode.
  My other devices drop me straight into Priv Mode. Only difference is the the new commands v the old commands but I can't see anything that is different in relation to putting me into Priv mode.
  Any ideas?
  aaa group server tacacs+ ABC_ACS
  server name ABC_TAC
  tacacs server ABC_TAC
  address ipv4 172.27.10.10
  key secretkey
  aaa authentication login ACS_List group ABC_ACS line
  aaa authorization exec ACS_List group ABC_ACS if-authenticated
  aaa accounting exec ACS_List start-stop group ABC_ACS
  aaa accounting commands 15 ACS_List start-stop group ABC_ACS
  line vty 0 4
  password test
  authorization exec ACS_List
  accounting commands 15 ACS_List
  accounting exec ACS_List
  login authentication ACS_List
  length 0
  transport input ssh

  Make sure you defined the username with a static privilege level of 15 otherwise it will not be able to pass the enable authentication.
  If ACS 5.x or higher go to the policy elements: Shell Profile and make sure you have one assigned for a static maximum privilege of 15 and most important that its applied into a access-policy rule

• Tacacs Command Authorization

  Hello awsome community
  I am trying to wrap my head around a possible configuration issue where I am creating a "rancid" account to auto log into a cisco switch (2950/2960) with restricted access. The problem is I cannot seem to restrict the access verry well, the rancid user has all the access it wants
  Tacacs Config Snippit:
  group = rancid {
  default service = deny
  service = exec {
  priv-lvl = 15
  cmd = show {
  permit .*
  cmd = exit {
  permit .*
  cmd = dir {
  permit .*
  cmd = write {
  permit term
  Cisco AAA Configuration:
  aaa new-model
  aaa authentication login default group tacacs+ local
  aaa authentication login console group tacacs+ local
  aaa authentication enable default group tacacs+
  aaa authorization console
  aaa authorization exec default group tacacs+ if-authenticated
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  aaa accounting network default start-stop group tacacs+
  aaa accounting system default start-stop group tacacs+
  Is there something I am missing or not accuratly setting up to restrict access to *only* the commands listed in the Tacacs Configs?

  Found the issue \o/
  I lacked some authorization commands, added the following fixed this issue:
  aaa authorization config-commands
  aaa authorization commands 1 default group tacacs+
  aaa authorization commands 15 default group tacacs+

• TACACS+ command authorization and ACS "Quirk"(?)

  Hi All,
  I've created a limited access command set for a few of my engineers. They can shut/no shut ports, change VLANs on access-ports etc, but they can't access critical ports like uplinks. That's working fine. I'd like to take it a step further and ensure that they can't accidently assign a server vlan to a user access port. Using ACS 4.2
  For the example, i'll use Vlan 101, which is one of my server networks.
  My Command set says:
  Command: switchport
  Arguements: permit access, permit vlan, deny 101
  Permit Unmatched Args is UNCHECKED.
  When I debug the aaa authorization, i see this:
  146425: Mar  8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): user=<my Testuser>
  146426: Mar  8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV service=shell
  146427: Mar  8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV cmd=switchport
  146428: Mar  8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV cmd-arg=access
  146429: Mar  8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV cmd-arg=vlan
  146430: Mar  8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV cmd-arg=101
  146431: Mar  8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV cmd-arg=<cr>
  146432: Mar  8 09:39:19.362: AAA/AUTHOR (3413047404): Post authorization status = PASS_ADD
  I know I have the correct command set applied, because it blocks me appropriately for other commands.
  146451: Mar  8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): user=<my Testuser>
  146452: Mar  8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): send AV service=shell
  146453: Mar  8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): send AV cmd=interface
  146454: Mar  8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): send AV cmd-arg=GigabitEthernet
  146455: Mar  8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): send AV cmd-arg=1/1
  146456: Mar  8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): send AV cmd-arg=<cr>
  146457: Mar  8 09:39:22.730: AAA/AUTHOR (838742026): Post authorization status = FAIL
  Any thoughts why it's not working as expected?

  Don’t mean to be ignorant about this, but is there a way to export the config from ACS? Router config section is below…I’ve used this successfully with 4.2 several times…
  ip tacacs source-interface gi 0/0
  tacacs-server directed-request
  tacacs-server key
  tacacs-server host x.x.x.x
  aaa new-model
  aaa authentic login default group tacacs+ local
  aaa authentic login no-tacacs none
  aaa authentic enable default group tacacs+ enable
  aaa author config-commands
  aaa author exec default if-authenticated
  aaa author commands 1 default if-authenticated
  aaa author commands 15 default group tacacs+ local
  aaa author console
  aaa account exec default start-stop group tacacs+
  aaa account commands 0 default start-stop group tacacs+
  aaa account commands 1 default start-stop group tacacs+
  aaa account commands 15 default start-stop group tacacs+
  aaa account connection default start-stop group tacacs+
  aaa account system default start-stop group tacacs+
  aaa session-id common

• Commands accounting.

  Hello.
  I'm using this configuration for commands accounting with Cisco Secure ACS. When the first server fails, the second AAA server doesn't report any accounting records in T+ Administration, using the broadcast keyword also.
  Many thanks for suggestions.
  Regards.
  Andrea
  aaa new-model
  aaa group server tacacs+ CiscoSecureACS
  server 10.4.44.74
  server 10.4.44.75
  aaa authentication login default group CiscoSecureACS local
  aaa authentication enable default group CiscoSecureACS enable
  aaa authorization console
  aaa authorization config-commands
  aaa authorization exec default group CiscoSecureACS local
  aaa accounting send stop-record authentication failure
  aaa accounting exec default start-stop group CiscoSecureACS
  aaa accounting commands 15 default start-stop group CiscoSecureACS
  aaa accounting connection default start-stop group CiscoSecureACS
  tacacs-server host 10.4.44.74 single-connection timeout 5
  tacacs-server host 10.4.44.75 single-connection timeout 5
  tacacs-server directed-request

  Using some debug and log I can verify that AAA server receives the accounting packet and replies but doesn't record it on file.
  Any ideas?
  Thanks.
  Andrea

• Command accounting in PIX

  Hi:
  I want to use something like "command accountig" in pix 525; I mean I want to know what commands was executed or typed by administrator.
  Somebody knows if it is possible in PIX? My pix version is 6.3.3.
  Thank you.

  I could find the following information for ver 6.2. I guess it is applicable to 6.3 too. http://www.cisco.com/warp/public/110/pix_command.shtml#accounting Basically, actual command accounting is not available. However, you can generate some sort of a record using syslog.

• CSCtg09895 - percentMGBL-exec-3-ACCT_ERR main: command accounting failed

  Dear fellows,
  I am facing below problem in one of ASR 9010 router while configuring .  I am unable to config anything after entering any command this error shows up 
  RP/0/RSP0/CPU0:hostname(config)#interface TenGigE0/1/0/0
  RP/0/RSP0/CPU0:Jan 15 12:48:41.186 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed -  - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
  RP/0/RSP0/CPU0:(config-if)# description # TO-Remote_site
  RP/0/RSP0/CPU0:hostname(config-if)#RP/0/RSP0/CPU0:Jan 15 12:48:41.263 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed -  - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
  RP/0/RSP0/CPU0:hostname(config-if)#commit
  Thu Jan 15 12:48:50.521 IST
  RP/0/RSP0/CPU0:Jan 15 12:48:50.521 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed -  - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
  it is not allowing even to commit any change
  and unable to find any online solutions for this.
  please help
  following packages are active right now
   disk0:asr9k-doc-px-4.3.4
      disk0:asr9k-fpd-px-4.3.4
      disk0:asr9k-k9sec-px-4.3.4
      disk0:asr9k-mcast-px-4.3.4
      disk0:asr9k-mgbl-px-4.3.4
      disk0:asr9k-bng-px-4.3.4
      disk0:asr9k-mini-px-4.3.4
      disk0:asr9k-mpls-px-4.3.4

  it is a fresh installation and the device is not connnected to ny network yet. 
  I am facing below problem in one of ASR 9010 router while configuring .  I am unable to config anything after entering any command this error shows up
  RP/0/RSP0/CPU0:hostname(config)#interface TenGigE0/1/0/0
  RP/0/RSP0/CPU0:Jan 15 12:48:41.186 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed -  - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
  RP/0/RSP0/CPU0:(config-if)# description # TO-Remote_site
  RP/0/RSP0/CPU0:hostname(config-if)#RP/0/RSP0/CPU0:Jan 15 12:48:41.263 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed -  - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
  RP/0/RSP0/CPU0:hostname(config-if)#commit
  Thu Jan 15 12:48:50.521 IST
  RP/0/RSP0/CPU0:Jan 15 12:48:50.521 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed -  - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
  it is not allowing even to commit any change
  and I am unable to find any online solutions for this.
  please help
  following packages are active right now
  disk0:asr9k-doc-px-4.3.4
      disk0:asr9k-fpd-px-4.3.4
      disk0:asr9k-k9sec-px-4.3.4
      disk0:asr9k-mcast-px-4.3.4
      disk0:asr9k-mgbl-px-4.3.4
      disk0:asr9k-bng-px-4.3.4
      disk0:asr9k-mini-px-4.3.4
      disk0:asr9k-mpls-px-4.3.4
  PS: please tell what more output are needed so that this problem can be solved.