TACACS Command accounting
HI
We configured accoutnig in our network devices.But the commands users are typing is not showing in TACACS+ Accounting section.We r using ACS 4.1se and commands for accounting in devices are given below.
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
Please help
Command accounting logs are stored in tacacs administration logs. Also there is a known issue on ver 4.1.1 and we need to apply patch ACS 4.1.1.23.5 to fix the issue.
Patch for appliance is available on
http://www.cisco.com/cgi-bin/tablebuild.pl/acs-soleng-3des
Patch name : ACS SE 4.1.1.23.5 accumulative patch
Patch for acs windows is available on
http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-3des
Patch Name : ACS 4.1.1.23.5 accumulative patch
Regards,
~JG
Do rate helpful posts
Similar Messages
-
TACACS + Command Logging Problems
All,
Working on a problem that I'm having getting command logging setup for my switch / router infrastructure. Below is my config, authentication is working, both console & SSH. Authorization is also working. Some of my accounting features are working, like successful TACACS+ logins, but all my command logging features are not working properly.
I'm currently running ACS V4.1. Also, what is the difference between using named auth / accounting lists, and the default? Is it just that I need to apply them to certian interfaces, where the default is applied to all interfaces?
Configs:
aaa new-model
aaa authentication login SSH group tacacs+ local
aaa authentication login CONSOLE local
aaa authorization console
aaa authorization exec CONSOLE local
aaa authorization exec SSH group tacacs+
aaa authorization network CONSOLE local
aaa authorization network SSH group tacacs+
aaa accounting exec SSH start-stop group tacacs+
aaa accounting commands 0 SSH start-stop group tacacs+
aaa accounting commands 1 SSH start-stop group tacacs+
aaa accounting commands 15 SSH start-stop group tacacs+
aaa accounting network SSH start-stop group tacacs+
access-list 1 permit X.X.56.0 0.0.0.255
tacacs-server host X.X.X.X key XXXXXXXXXXXXX
tacacs-server timeout 30
tacacs-server directed-request
control-plane
line con 0
session-timeout 10
authorization exec CONSOLE
login authentication CONSOLE
line vty 0 4
session-timeout 10
access-class 1 in
authorization exec SSH
accounting commands 0 SSH
accounting commands 1 SSH
accounting commands 15 SSH
accounting exec SSH
login authentication SSH
transport input ssh
line vty 5 15
session-timeout 10
access-class 1 in
authorization exec SSH
accounting commands 0 SSH
accounting commands 1 SSH
accounting commands 15 SSH
accounting exec SSH
login authentication SSH
transport input ssh
Any help is appreciated.
Thanks!
JonThis looks fine:
3d22h: AAA/ACCT(00000034): Accounting method=tacacs+ (TACACS+)
3d22h: TPLUS: Queuing AAA Accounting request 52 for processing
3d22h: TPLUS: processing accounting request id 52
3d22h: TPLUS: Sending AV task_id=114
3d22h: TPLUS: Sending AV timezone=UTC
3d22h: TPLUS: Sending AV service=shell
3d22h: TPLUS: Sending AV priv-lvl=15
3d22h: TPLUS: Sending AV cmd=write memory
3d22h: TPLUS: Accounting request created for 52(testusr)
3d22h: TPLUS: using previously set server X.X.X.X from group tacacs+
3d22h: TPLUS(00000034)/0/NB_WAIT/36C23C0: Started 30 sec timeout
3d22h: TPLUS(00000034)/0/NB_WAIT: socket event 2
3d22h: TPLUS(00000034)/0/NB_WAIT: wrote entire 115 bytes request
3d22h: TPLUS(00000034)/0/READ: socket event 1
3d22h: TPLUS(00000034)/0/READ: Would block while reading
3d22h: TPLUS(00000034)/0/READ: socket event 1
3d22h: TPLUS(00000034)/0/READ: read entire 12 header bytes (expect 5 bytes data)
3d22h: TPLUS(00000034)/0/READ: socket event 1
3d22h: TPLUS(00000034)/0/READ: read entire 17 bytes response
3d22h: TPLUS(00000034)/0/36C23C0: Processing the reply packet
3d22h: TPLUS: Received accounting response with status PASS
On ACS, look in the log directories for the CSTacacs and CSLog services, and find the entries corresponding to the above.
Incidentally, you may want to make the timestamps on the router be datetime rather than uptime, it makes it esaier to correlate logs.
service timestamp debug datetime localtime msec
service timestamp log datetime localtime msec -
Command accounting w/ RADIUS
Not having much luck getting this to work and searching the forums here everybody seems to say it is not possible unless TACACS+ is used. Is this still the case? I see the AAA/ACCT/CMD in the debug on the local switch but the RADIUS server never receives the data string except for the authentication entry.
Any way to re-classify the AAA/ACCT/CMDs and send in a syslog trap/log?
Looking for creative solutions here, TACACS+ is not available in this case.
ThanksHi,
Unfortunately you can not log any AAA information to syslog.
Now you may ask why IOS CLI allows to configure command accounting via RADIUS when it is not supported. Well, this is indeed an IOS caveat which is described in CSCdp57020 'parser should not show radius as an aaa accounting commands option' and resolved in 12.2 based IOS trains (ref. Bug Toolkit on Cisco.com).
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?caller=pluginredirector&method=fetchBugDetails&bugId=CSCdp57020
Regards,
~JG
Do rate helpful posts -
Command Accounting & Logging on ISE
Hi Guys,
Does ISE support Commands Accounting and logging on network devices.
Thanks,
Muayad Jallad,The Cisco Systems implementation of RADIUS does not support command accounting. TACACS does support it, ISE with TACACS is expected in 2.0 release which is in roadmap.
-
Command accounting for SNMP config
We can use TACACS+ and ACS to do the command accounting for EXEC shell commands executed. But what abount configuration changed by SNMP set? How to find out which OIDs set by NMS tools?
Thanks!Well radius accounting is supported on ACS so if your aaa client is accounting the commands, then they will appear on ACS without problem.
-
Hi,
Is there any way to enable command accounting except TACACS ?.Command accounting is a feature of TACACS and is not supported by any other protocol.
Regards,
~JG -
HOw can I achive command accounting via acs I have configured devices as below but no luck
aaa accounting exec aaa-list start-stop group bwaaa
aaa accounting commands 1 aaa-list start-stop group bwaaa
aaa accounting commands 15 aaa-list start-stop group bwaaa
aaa accounting system default start-stop group bwaaa
any idea about itHi, I am using 4.2 version appliance. I am using tacacs+ u can s below config for your reference
aaa new-model
aaa group server tacacs+ bwaaa
server 10.2.6.1
server 10.2.6.2
ip tacacs source-interface Vlan1111
aaa authentication login aaa-list group bwaaa local
aaa authentication enable default group bwaaa enable
aaa authorization exec aaa-list group bwaaa local
aaa accounting exec aaa-list start-stop group bwaaa
aaa accounting commands 1 aaa-list start-stop group bwaaa
aaa accounting commands 15 aaa-list start-stop group bwaaa
aaa accounting system default start-stop group bwaaa
aaa session-id common
tacacs-server host 10.2.6.1 timeout 25
tacacs-server host 10.2.6.2 timeout 25
tacacs-server timeout 25
tacacs-server directed-request
tacacs-server key cisco123 -
Is Command Accounting available on MDS 9216.
We use Command Accounting on our Catalyst Switches to capture the commands entered on the switches for auditing purposes. Entered commands on the Catalyst switches are captured on Cisco ACS server and we can see who has done what under the "TACACS Administration" logs of ACS. Is this feature available on MDS switches as well.Command accounting is available on the MDS platform as well. This could utilize the same TACACS+ backend you have for your Catalyst network.
You also will have very detailed control over who has access to what commands with Roles Based Access Control.
Dan -
Command Accounting Failure on my PIX
Hi,
I am configuring my PIX ver 7.2(2) for command accounting using the "aaa accounting command" command but I am not able to see any accounting information on my ACS 4.1 build 23 server!
Although authentication for this PIX is working just fine and the accounting is also working perfectly for other IOS devices, accounting for the PIX is not giving any results when browsing to the TACACS+ administration page!!
I am posting the PIX show-tech for your referecne!
Appreciate your support here!
BR,
HaithamHi Rohit,
Thank you so much, you were absolutely right. The accounting problem was due to the bug CSCsg97429 and the problem was resolved after applying the patch: applAcs-4.1.1.23.1.zip
Thanks,
Haitham -
TACACs+ commands not dropping me into enable mode
Hi All,
I've just comfigured the following on a router running IOS 15. All my other devices are running the old tacacs commands but thought I'd try the new CLI version.
It works, e.g get prompted for username/password and authenticates against our AD Server (integrated with ACS4.2). I get into the router but into usermode.
My other devices drop me straight into Priv Mode. Only difference is the the new commands v the old commands but I can't see anything that is different in relation to putting me into Priv mode.
Any ideas?
aaa group server tacacs+ ABC_ACS
server name ABC_TAC
tacacs server ABC_TAC
address ipv4 172.27.10.10
key secretkey
aaa authentication login ACS_List group ABC_ACS line
aaa authorization exec ACS_List group ABC_ACS if-authenticated
aaa accounting exec ACS_List start-stop group ABC_ACS
aaa accounting commands 15 ACS_List start-stop group ABC_ACS
line vty 0 4
password test
authorization exec ACS_List
accounting commands 15 ACS_List
accounting exec ACS_List
login authentication ACS_List
length 0
transport input sshMake sure you defined the username with a static privilege level of 15 otherwise it will not be able to pass the enable authentication.
If ACS 5.x or higher go to the policy elements: Shell Profile and make sure you have one assigned for a static maximum privilege of 15 and most important that its applied into a access-policy rule -
Hello awsome community
I am trying to wrap my head around a possible configuration issue where I am creating a "rancid" account to auto log into a cisco switch (2950/2960) with restricted access. The problem is I cannot seem to restrict the access verry well, the rancid user has all the access it wants
Tacacs Config Snippit:
group = rancid {
default service = deny
service = exec {
priv-lvl = 15
cmd = show {
permit .*
cmd = exit {
permit .*
cmd = dir {
permit .*
cmd = write {
permit term
Cisco AAA Configuration:
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login console group tacacs+ local
aaa authentication enable default group tacacs+
aaa authorization console
aaa authorization exec default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
Is there something I am missing or not accuratly setting up to restrict access to *only* the commands listed in the Tacacs Configs?Found the issue \o/
I lacked some authorization commands, added the following fixed this issue:
aaa authorization config-commands
aaa authorization commands 1 default group tacacs+
aaa authorization commands 15 default group tacacs+ -
TACACS+ command authorization and ACS "Quirk"(?)
Hi All,
I've created a limited access command set for a few of my engineers. They can shut/no shut ports, change VLANs on access-ports etc, but they can't access critical ports like uplinks. That's working fine. I'd like to take it a step further and ensure that they can't accidently assign a server vlan to a user access port. Using ACS 4.2
For the example, i'll use Vlan 101, which is one of my server networks.
My Command set says:
Command: switchport
Arguements: permit access, permit vlan, deny 101
Permit Unmatched Args is UNCHECKED.
When I debug the aaa authorization, i see this:
146425: Mar 8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): user=<my Testuser>
146426: Mar 8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV service=shell
146427: Mar 8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV cmd=switchport
146428: Mar 8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV cmd-arg=access
146429: Mar 8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV cmd-arg=vlan
146430: Mar 8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV cmd-arg=101
146431: Mar 8 09:39:19.162: AAA/AUTHOR/TAC+: (3413047404): send AV cmd-arg=<cr>
146432: Mar 8 09:39:19.362: AAA/AUTHOR (3413047404): Post authorization status = PASS_ADD
I know I have the correct command set applied, because it blocks me appropriately for other commands.
146451: Mar 8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): user=<my Testuser>
146452: Mar 8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): send AV service=shell
146453: Mar 8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): send AV cmd=interface
146454: Mar 8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): send AV cmd-arg=GigabitEthernet
146455: Mar 8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): send AV cmd-arg=1/1
146456: Mar 8 09:39:22.526: AAA/AUTHOR/TAC+: (838742026): send AV cmd-arg=<cr>
146457: Mar 8 09:39:22.730: AAA/AUTHOR (838742026): Post authorization status = FAIL
Any thoughts why it's not working as expected?Don’t mean to be ignorant about this, but is there a way to export the config from ACS? Router config section is below…I’ve used this successfully with 4.2 several times…
ip tacacs source-interface gi 0/0
tacacs-server directed-request
tacacs-server key
tacacs-server host x.x.x.x
aaa new-model
aaa authentic login default group tacacs+ local
aaa authentic login no-tacacs none
aaa authentic enable default group tacacs+ enable
aaa author config-commands
aaa author exec default if-authenticated
aaa author commands 1 default if-authenticated
aaa author commands 15 default group tacacs+ local
aaa author console
aaa account exec default start-stop group tacacs+
aaa account commands 0 default start-stop group tacacs+
aaa account commands 1 default start-stop group tacacs+
aaa account commands 15 default start-stop group tacacs+
aaa account connection default start-stop group tacacs+
aaa account system default start-stop group tacacs+
aaa session-id common -
Hello.
I'm using this configuration for commands accounting with Cisco Secure ACS. When the first server fails, the second AAA server doesn't report any accounting records in T+ Administration, using the broadcast keyword also.
Many thanks for suggestions.
Regards.
Andrea
aaa new-model
aaa group server tacacs+ CiscoSecureACS
server 10.4.44.74
server 10.4.44.75
aaa authentication login default group CiscoSecureACS local
aaa authentication enable default group CiscoSecureACS enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group CiscoSecureACS local
aaa accounting send stop-record authentication failure
aaa accounting exec default start-stop group CiscoSecureACS
aaa accounting commands 15 default start-stop group CiscoSecureACS
aaa accounting connection default start-stop group CiscoSecureACS
tacacs-server host 10.4.44.74 single-connection timeout 5
tacacs-server host 10.4.44.75 single-connection timeout 5
tacacs-server directed-requestUsing some debug and log I can verify that AAA server receives the accounting packet and replies but doesn't record it on file.
Any ideas?
Thanks.
Andrea -
Hi:
I want to use something like "command accountig" in pix 525; I mean I want to know what commands was executed or typed by administrator.
Somebody knows if it is possible in PIX? My pix version is 6.3.3.
Thank you.I could find the following information for ver 6.2. I guess it is applicable to 6.3 too. http://www.cisco.com/warp/public/110/pix_command.shtml#accounting Basically, actual command accounting is not available. However, you can generate some sort of a record using syslog.
-
CSCtg09895 - percentMGBL-exec-3-ACCT_ERR main: command accounting failed
Dear fellows,
I am facing below problem in one of ASR 9010 router while configuring . I am unable to config anything after entering any command this error shows up
RP/0/RSP0/CPU0:hostname(config)#interface TenGigE0/1/0/0
RP/0/RSP0/CPU0:Jan 15 12:48:41.186 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed - - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
RP/0/RSP0/CPU0:(config-if)# description # TO-Remote_site
RP/0/RSP0/CPU0:hostname(config-if)#RP/0/RSP0/CPU0:Jan 15 12:48:41.263 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed - - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
RP/0/RSP0/CPU0:hostname(config-if)#commit
Thu Jan 15 12:48:50.521 IST
RP/0/RSP0/CPU0:Jan 15 12:48:50.521 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed - - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
it is not allowing even to commit any change
and unable to find any online solutions for this.
please help
following packages are active right now
disk0:asr9k-doc-px-4.3.4
disk0:asr9k-fpd-px-4.3.4
disk0:asr9k-k9sec-px-4.3.4
disk0:asr9k-mcast-px-4.3.4
disk0:asr9k-mgbl-px-4.3.4
disk0:asr9k-bng-px-4.3.4
disk0:asr9k-mini-px-4.3.4
disk0:asr9k-mpls-px-4.3.4it is a fresh installation and the device is not connnected to ny network yet.
I am facing below problem in one of ASR 9010 router while configuring . I am unable to config anything after entering any command this error shows up
RP/0/RSP0/CPU0:hostname(config)#interface TenGigE0/1/0/0
RP/0/RSP0/CPU0:Jan 15 12:48:41.186 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed - - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
RP/0/RSP0/CPU0:(config-if)# description # TO-Remote_site
RP/0/RSP0/CPU0:hostname(config-if)#RP/0/RSP0/CPU0:Jan 15 12:48:41.263 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed - - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
RP/0/RSP0/CPU0:hostname(config-if)#commit
Thu Jan 15 12:48:50.521 IST
RP/0/RSP0/CPU0:Jan 15 12:48:50.521 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed - - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
it is not allowing even to commit any change
and I am unable to find any online solutions for this.
please help
following packages are active right now
disk0:asr9k-doc-px-4.3.4
disk0:asr9k-fpd-px-4.3.4
disk0:asr9k-k9sec-px-4.3.4
disk0:asr9k-mcast-px-4.3.4
disk0:asr9k-mgbl-px-4.3.4
disk0:asr9k-bng-px-4.3.4
disk0:asr9k-mini-px-4.3.4
disk0:asr9k-mpls-px-4.3.4
PS: please tell what more output are needed so that this problem can be solved.
Maybe you are looking for
-
Hard drive files gone - house burnt down, so now I'm having a kernal attack
I recently sent my 17" G4 in for repair through the Genius bar, my daughter took it in and they did not offer back up. Well the service center totally blew it away, it's just like your house burning down (such a desperate feeling - I think I cried fo
-
Issue with JMS sender Communication Channel
Hi All, We are tying to connect to IBM WebSphere MQ system from SAP PI and pickup messages thru sender JMS adapter. This is WebSphere MQ -> PI -> Proxy Async scenario. We deployed the required sda file in SDM. We could connect to MQ system message qu
-
Using a selector to detect closed socket channel.
Basically our app uses one thread to perform a select on multiple socket channels. When a socket is closed (either remotely or locally) the server app needs to unregister the client (so we need to detect closed channels). We've been using blocking IO
-
Proforma Invoice & Excise Invoice in Stock Transport Order
Hi, What is the business logic for creating a Proforma Invoice & Excise Invoice in Stock Transport Order? My apologies for putting down the basis question before you. Regards, PK
-
"Published" Edit does not show up.
I have successfully downloaded my trial version of Contribute CS3 and when I click my Contribute App. it opens and shows my web site name with the "not connected" line under it. I click on that and my front page shows up with the "connect" button abo