TACACS + Command Logging Problems

Similar Messages

• No TACACS+ Administration Logging on ACS

  I can get a csv file created for a TACACS+ Administration log/report [configured in Interface Logging of the ACS] but that log file is is empty. Help states that aaa accounting commands start-stop TACACS+ must appear in the access server or router configuration file in order to capture this day but my ASA 5520 will only allow;
  aaa accounting command <server group> or <privilege>.
  How do I get this ASA and Windows ACS to collect TACACS+ administration?
  Note: My TACACS+ accounting does collect data on users ssh into the ASA.

  It's quite possible that you might be experiencing a know bug ( CSCsg97429 ) in ACS version 4.1.
  Get this Patch: Acs-4.1.1.23.5-SW.zip. It fixes the TACACS+ Administration log/report problem.
  You rigth in regards to the command. It is needed for your NAS to send accounting information to the ACS.
  Here's an example of the commands:
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  Hope it helps.

• Cisco ASA 8.4 Command logging in ACS

  Hello,
  I have set up command authorisation on a ASA 8.4 firewall, and everything seems to work fine.
  The only problem is that the commands executed on the device such as ssh or asdm access does not show up in the TACACS+ Administration log on de ACS 4.2 server.
  While on switches and routers the commands executed does show up in the log.
  I googled the web, but did not find any similar item for this issue.
  Please help....

  You need to look at the latency between the initial connection after the pause and the beginning of when data is returned to the client. I will virtually guarantee the application is timing the user out before restarting the session.
  Sent from Cisco Technical Support iPad App

• Tacacs+ Administration log Auditing

  Hello ,
  I am working as internal Auditor in Bank and i am having doubts about something on the logs generated by TACAS+ looking for someone assist on this.
  My cocern is about Firewall changes which triggered on the Tacacs+ Administration, It shows you in terms of adding an IP address as Source to specifc group ( objects) as destination. What if I need more details about the destiation objects prviliages which I am adding this source to ,how can i identify these changes?

  Hi Mahmoud,
  You can send accounting messages to the TACACS+ accounting server when you enter any command other than show commands at the CLI.
  To enable command accounting, enter the following command:
  hostname(config)# aaa accounting command [privilege level] server-tag
  and you do have this command in your configuration. Now if command accounting is not working in your case then you need to tell me what version of Cisco ACS are you running on, if it is ACS 4.1.1.23 then there is a defect that has been fixed in patc 5
  The issue that you are facing could be due to,
  CSCsg97429 - TACACS+ Command Accounting does not work in ACS 4.1(1) Build 23.
  aaa-server AuthOutbound protocol tacacs+
  aaa authentication http console LOCAL
  aaa authentication enable console TACACS+
  aaa authentication serial console TACACS+
  aaa authentication ssh console TACACS+
  aaa authorization command TACACS+
  aaa accounting command TACACS+
  How to configure command accounting on ASA
  http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mgaccess.html#wp1059882
  Hope this helps.
  Let me know if you need further help on this.
  Regards,
  Jatin
  Do rate helpful posts~

• Tacacs+ accounting log question

  I have a tacacs server running for accounting purpose only (so I use local authentiation). So I can collect all accounting logs only.
  This is a snapshot for accounting part.
  Tacacs accounting logs
  <102> 2014-02-23 10:20:22 [10.254.1.2:22823] 02/23/2014 10:20:22 NAS_IP=10.254.1.x Port=443 rem_addr=10.254.50.129 User= brian Flags=Stop task_id=57 cmd=perfmon interval 10 service=shell elapsed_time=0
  <102> 2014-02-23 10:23:51 [10.254.1.2:58167] 02/23/2014 10:23:51 NAS_IP=10.254.1.x Port=0 rem_addr=10.254.50.129 User=brian Flags=Stop task_id=58 cmd=configure term service=shell elapsed_time=0
  <102> 2014-02-24 07:06:31 [10.254.1.2:19784] 02/24/2014 07:06:31 NAS_IP=10.254.1.x Port=443 rem_addr=10.254.51.166 User=mike Flags=Stop task_id=59 cmd=perfmon interval 10 service=shell elapsed_time=0
  <102> 2014-02-24 07:07:53 [10.254.1.2:19254] 02/24/2014 07:07:53 NAS_IP=10.254.1.x Port=0 rem_addr=10.254.51.166 User=mike Flags=Stop task_id=5a cmd=configure term service=shell elapsed_time=0
  As you can see, I can't see any command lines, such as show int ip b.   I can see all routers and switches logs, but ASA logs shows only like above. No mather what commands I used, it only shows above logs. Do i miss something? I like to capture all commands lines when users use ASDM because we use always ASDM.
  I used Free tacacs+ server, not ACS.
  Thanks for your time.

  Hi Patrick,
  In the ACS View Reports (Monitoring & Reports >     Reports >     Catalog >     AAA Protocol) you can select the
  radio button and by selecting 'Run' on the bottom run a specific query. Without that by default you will see only a report from one day.
  For the 2nd question, yes the ACS View is designed to store that information, however if needed you can send the logs to an external syslog server or perfrom regular backups of the ACS View database.
  Kind regards,
  Pawel

• TACACS Command accounting

  HI
  We configured accoutnig in our network devices.But the commands users are typing is not showing in TACACS+ Accounting section.We r using ACS 4.1se and commands for accounting in devices are given below.
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  Please help

  Command accounting logs are stored in tacacs administration logs. Also there is a known issue on ver 4.1.1 and we need to apply patch ACS 4.1.1.23.5 to fix the issue.
  Patch for appliance is available on
  http://www.cisco.com/cgi-bin/tablebuild.pl/acs-soleng-3des
  Patch name : ACS SE 4.1.1.23.5 accumulative patch
  Patch for acs windows is available on
  http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-3des
  Patch Name : ACS 4.1.1.23.5 accumulative patch
  Regards,
  ~JG
  Do rate helpful posts

• Show commands logging ?

  Hi guys, i m using ACS 3.3 windows version, these are the commands
  aaa accounting update periodic 1
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  but i m not getting all the show commands logged, i usually get logging of show running, show start-up, but no other show commands like show ip int brief and such, what is the reason ? how can i get all the exec commands logged ?
  thanks

  Ovais
  The command that you have configured:
  aaa accounting commands 15 default start-stop group tacacs+
  will generate accounting records for the commands that are entered that require level 15 privilege (such as show run, show start, etc) but will not generate accounting records for commands which only require level 1 privilege (such as sh ip int brief, etc). If you also want these commands to generate accounting records then you should add this to your config:
  aaa accounting commands 1 default start-stop group tacacs+
  HTH
  Rick

• Error logging problem:

  error logging problem:
  I would like to implement an error logger that will do the following tasks when a error/exception arrises:
  - surpress the DacfErrorPopupLogger
  - alert the user that an error has occured with a simplified popup (create a global listener then use the ErrorAttributes to create the text of the popup)
  - log the error in a file with a timestamp and all error information
  - later if the above works....i would like to add the error attributes (time stamp, error type) to a oracle object/ Jdev domain.
  Questions:
  What is the best technique to use....errorManager, error logger ...?? combination
  How do i use the error manager to register listners for the errors?.
  In the following code i am not sure how to access the ErrorsAttributes[] array that is returned by loggerReader.getErrors();
  Any general tips places to find sample code on errorManager or associated interfaces, will be appreciated
  I used the OutPutStreamLogger to write error information to a FileOutputStream then a loggerReader to get the error attributes from the file. The reason i went in this direction is because i found some smple code on the outputStream logger.
  package DACVideo;
  import oracle.dacf.util.errorloggers.*;
  import oracle.dacf.util.errormanager.*;
  import oracle.dacf.util.errorloggers.InputStreamLoggerReader.ErrorAttributes;
  import java.io.*;
  * A Class class.
  * <P>
  * @author Adam Maddox
  public class ErrorLogger extends Object {
  static OutputStreamLogger logger = null;
  static InputStreamLoggerReader loggerReader = null;
  public ErrorLogger() {
  System.out.println("==============ErrorLogger Created==============");
  //remove default error logger (popup logger)
  ErrorManager.removeErrorLogger(ErrorManager.findLoggerByName(DacfErrorPopupLogger.NAME));
  try
  logger = new OutputStreamLogger(new FileOutputStream("out.dat"));
  loggerReader = new InputStreamLoggerReader(new FileInputStream("out.dat"));
  catch(java.io.IOException e)
  System.err.println("Error!");
  try
  ErrorManager.addErrorLogger(logger);
  catch(NameAlreadyRegisteredException e)
  System.err.println("A Logger with this name is already registered.");
  private void closeErrorLog()
  //close the OutputStream, to force flushing
  logger.closeOutputStream();
  ErrorManager.removeErrorLogger(logger);
  public static void showErrorLog()
  ErrorAttributes[] errorArray = loggerReader.getErrors(); <<<<CANNOT GET ERROR ATTRIBUTES ??
  null

  JDev could you help??

• X2-02 log problem

  dear members,
  I have a log problem with my x2-02, only the last occurrence belonging to a certain contact (in the contacts book), is logged. When a new handling-occurence linked to this contact happened, only this last handling is logged (all the previous are deleted, not there anymore).
  This was not the situation before, I did play a little bit through the menu and after that it happened. Of course I did already try the regular solutions, soft reset-hard reset, reinstalling the (latest software). But till now nothing did work.
  Can someone assist on this
  Greetings
  Fiesta
  holland

  dear members
  I would like to contribute the following, I noticed an other bug, which i think occured simultaneously/is linked together. When i go to contacts, and choose the option "View conversations" i see with certain persons, that there are also conversations (sms messages)  not pertaining/belonging to that contact (belonging to more different contacts).
  Does this bell ring some where?
  greetings
  fiesta  

• SYSLOG LOGGING PROBLEMS !!!!

  Hi ALl,
  I am trying to configure a syslog server to log messages from the routers.
  I am trying on the first router, and i issue the command :
  LOGGING (syslog ip address)
  So now the messges should be sent to the syslog server.
  Now supposingly i want to capture the events when an access-list is met namely the DENY IP ANY ANY .... so i should issue the DENY IP ANY ANY LOG command right ??? the LOG keyword should force the router to log the event every time this is met. However i try to do illegal traffic to trigger the DENY IP ANY ANY LOG but it does not show anything logged in the show run, or on the syslog server.
  I know the syslog works fine as it logs the messages
  that i have configured the router from my ip address.
  Is there something i am missing here ???
  Please help ,
  Thanks,
  George

  Hi,
  What trap level have you set on the router??? After going in the configure terminal mode issue the command "logging trap 7" so that you'll get all the messages which are sent.
  If would be better if you could post your config.
  Hope it helps.
  Please rate helpful posts.
  Regards,
  AbhisheK

• TACACs+ commands not dropping me into enable mode

  Hi All,
  I've just comfigured the following on a router running IOS 15. All my other devices are running the old tacacs commands but thought I'd try the new CLI version.
  It works, e.g get prompted for username/password and authenticates against our AD Server (integrated with ACS4.2). I get into the router but into usermode.
  My other devices drop me straight into Priv Mode. Only difference is the the new commands v the old commands but I can't see anything that is different in relation to putting me into Priv mode.
  Any ideas?
  aaa group server tacacs+ ABC_ACS
  server name ABC_TAC
  tacacs server ABC_TAC
  address ipv4 172.27.10.10
  key secretkey
  aaa authentication login ACS_List group ABC_ACS line
  aaa authorization exec ACS_List group ABC_ACS if-authenticated
  aaa accounting exec ACS_List start-stop group ABC_ACS
  aaa accounting commands 15 ACS_List start-stop group ABC_ACS
  line vty 0 4
  password test
  authorization exec ACS_List
  accounting commands 15 ACS_List
  accounting exec ACS_List
  login authentication ACS_List
  length 0
  transport input ssh

  Make sure you defined the username with a static privilege level of 15 otherwise it will not be able to pass the enable authentication.
  If ACS 5.x or higher go to the policy elements: Shell Profile and make sure you have one assigned for a static maximum privilege of 15 and most important that its applied into a access-policy rule

• Tacacs Command Authorization

  Hello awsome community
  I am trying to wrap my head around a possible configuration issue where I am creating a "rancid" account to auto log into a cisco switch (2950/2960) with restricted access. The problem is I cannot seem to restrict the access verry well, the rancid user has all the access it wants
  Tacacs Config Snippit:
  group = rancid {
  default service = deny
  service = exec {
  priv-lvl = 15
  cmd = show {
  permit .*
  cmd = exit {
  permit .*
  cmd = dir {
  permit .*
  cmd = write {
  permit term
  Cisco AAA Configuration:
  aaa new-model
  aaa authentication login default group tacacs+ local
  aaa authentication login console group tacacs+ local
  aaa authentication enable default group tacacs+
  aaa authorization console
  aaa authorization exec default group tacacs+ if-authenticated
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  aaa accounting network default start-stop group tacacs+
  aaa accounting system default start-stop group tacacs+
  Is there something I am missing or not accuratly setting up to restrict access to *only* the commands listed in the Tacacs Configs?

  Found the issue \o/
  I lacked some authorization commands, added the following fixed this issue:
  aaa authorization config-commands
  aaa authorization commands 1 default group tacacs+
  aaa authorization commands 15 default group tacacs+

• Pix command authorization problem

  help required
  i am trying to configure pix firewall command authorization using cisco
  secure acs 4.2 and a pix 515 running 7.0(5) but have run into a problem
  i cant get it to work!
  i have included the pix firewall configuration below and have included
  screen shots of the acs configuration as attachments
  as you can see i can authenticate ok but that is as far as i can go
  as soon as i try and use the enable command authorization fails
  i cant even enter a password
  i have created two shell command authorization sets
  one called admins which is configured to allow all commands
  and one called restricted which restrics me to only a few commands
  if i apply the admins authorization set to the group where the user
  resides i can authenticate and authorize and i have access to all
  commands but if i apply the restrictd authorization set i get the
  problem depicted below
  i would appreciate it if someone could take a look and give me
  some pointers as to where i am going wrong
  regards
  melvyn brown
  interface ethernet0
  nameif outside
  ip address 110.1.1.1 255.255.255.0
  speed 100
  duplex full
  no shut
  interface ethernet1
  nameif inside
  ip address 192.168.8.2 255.255.255.0
  speed 100
  duplex full
  no shut
  route inside 192.168.7.0 255.255.255.0 192.168.8.1
  route inside 192.168.3.0 255.255.255.0 192.168.8.1
  aaa-server ACS1 protocol tacacs+
  aaa-server ACS1 host 192.168.7.2
  key cisco123
  domain-name acme.com
  crypto key generate rsa modulus 1024
  telnet 192.168.3.2 255.255.255.255 inside
  ssh 192.168.3.2 255.255.255.255 inside
  aaa authentication enable console ACS1
  aaa authentication serial console ACS1
  aaa authentication ssh console ACS1
  aaa authentication telnet console ACS1
  aaa authorization command ACS1
  Username: fred
  Password: **********
  Type help or '?' for a list of available commands.
  pixfirewall> en
  Command authorization failed
  pixfirewall> ?
    clear   Reset functions
    enable  Turn on privileged commands
    exit    Exit from the EXEC
    help    Interactive help for commands
    login   Log in as a particular user
    logout  Exit from the EXEC
    ping    Send echo messages
    quit    Exit from the EXEC
    show    Show running system information

  Fixed it. It was one of those ID10T type errors. The user I was testing against was in in group1 on the ACS. Trouble is I was adding command authorizations to group0. Duh!

• Process Chain/OS Command cp problem

  Hello,
  I am trying to execute a command similar to the following in an OS command in a process chain:
  cp /path/filename*.txt /path/filenamexxx.txt
  I know it's not a permissions problem.
  This is the error message from the Process Chain Maintenance Log View:
  cp: cannot access /path/filename*.txt: No such file or directory
  External program terminated with exit code 1
  Any help will be greatly appreciated.
  Thanks,
  Gary Martins

  Hi Gary,
     Is this file(cp /path/filename*.txt /path/filenamexxx.txt) avaialble at perticular path...??
     File is in application server or workstation(PC). If file is available in one application server and your Pchain running againest another application server, you may get this error. Plz check.
  Hope it Helps
  Srini

• Logging Problems on CSS11503 - please help

  Hi,
  1 of our CSS11503 is not functioning properly. Our ITO system is receiving "server down" messages for services but the "server up" message is not coming through.
  We have 2 load balancers with identical config, the only difference I can see in them is the following
  when I do a "show log-state", the load balancer that is not sending the server up messages has the log level set to "warning" were as the one that works ok is set to "debug".
  I have stated in the config log level 7 for our ITO managment system but this value in "sh log-state" is still the same???
  Any ideas on how to change this to debug on the css that is not sending the server up messages.
  thanks

  The UP message is generated at level '5'.
  So that's what you need to change indeed.
  Usually the problem is that the logging level stays stuck in '7' not '4'.
  Are you certain that the command is there ?
  What software version ?
  The procedure to recover when stuck in level '7' is below.
  You can give it a try.
  -Reboot and interrupt the boot going into offDM.
  -shift T (technicians menu).
  -choose "1" for configure.
  -then "3" for set logging flags.
  -"2" for set logging level (set to level 4).
  -then "r" until you're back to the main menu.
  -reboot.
  Gilles.