TACACS + Command Logging Problems
All,
Working on a problem that I'm having getting command logging setup for my switch / router infrastructure. Below is my config, authentication is working, both console & SSH. Authorization is also working. Some of my accounting features are working, like successful TACACS+ logins, but all my command logging features are not working properly.
I'm currently running ACS V4.1. Also, what is the difference between using named auth / accounting lists, and the default? Is it just that I need to apply them to certian interfaces, where the default is applied to all interfaces?
Configs:
aaa new-model
aaa authentication login SSH group tacacs+ local
aaa authentication login CONSOLE local
aaa authorization console
aaa authorization exec CONSOLE local
aaa authorization exec SSH group tacacs+
aaa authorization network CONSOLE local
aaa authorization network SSH group tacacs+
aaa accounting exec SSH start-stop group tacacs+
aaa accounting commands 0 SSH start-stop group tacacs+
aaa accounting commands 1 SSH start-stop group tacacs+
aaa accounting commands 15 SSH start-stop group tacacs+
aaa accounting network SSH start-stop group tacacs+
access-list 1 permit X.X.56.0 0.0.0.255
tacacs-server host X.X.X.X key XXXXXXXXXXXXX
tacacs-server timeout 30
tacacs-server directed-request
control-plane
line con 0
session-timeout 10
authorization exec CONSOLE
login authentication CONSOLE
line vty 0 4
session-timeout 10
access-class 1 in
authorization exec SSH
accounting commands 0 SSH
accounting commands 1 SSH
accounting commands 15 SSH
accounting exec SSH
login authentication SSH
transport input ssh
line vty 5 15
session-timeout 10
access-class 1 in
authorization exec SSH
accounting commands 0 SSH
accounting commands 1 SSH
accounting commands 15 SSH
accounting exec SSH
login authentication SSH
transport input ssh
Any help is appreciated.
Thanks!
Jon
This looks fine:
3d22h: AAA/ACCT(00000034): Accounting method=tacacs+ (TACACS+)
3d22h: TPLUS: Queuing AAA Accounting request 52 for processing
3d22h: TPLUS: processing accounting request id 52
3d22h: TPLUS: Sending AV task_id=114
3d22h: TPLUS: Sending AV timezone=UTC
3d22h: TPLUS: Sending AV service=shell
3d22h: TPLUS: Sending AV priv-lvl=15
3d22h: TPLUS: Sending AV cmd=write memory
3d22h: TPLUS: Accounting request created for 52(testusr)
3d22h: TPLUS: using previously set server X.X.X.X from group tacacs+
3d22h: TPLUS(00000034)/0/NB_WAIT/36C23C0: Started 30 sec timeout
3d22h: TPLUS(00000034)/0/NB_WAIT: socket event 2
3d22h: TPLUS(00000034)/0/NB_WAIT: wrote entire 115 bytes request
3d22h: TPLUS(00000034)/0/READ: socket event 1
3d22h: TPLUS(00000034)/0/READ: Would block while reading
3d22h: TPLUS(00000034)/0/READ: socket event 1
3d22h: TPLUS(00000034)/0/READ: read entire 12 header bytes (expect 5 bytes data)
3d22h: TPLUS(00000034)/0/READ: socket event 1
3d22h: TPLUS(00000034)/0/READ: read entire 17 bytes response
3d22h: TPLUS(00000034)/0/36C23C0: Processing the reply packet
3d22h: TPLUS: Received accounting response with status PASS
On ACS, look in the log directories for the CSTacacs and CSLog services, and find the entries corresponding to the above.
Incidentally, you may want to make the timestamps on the router be datetime rather than uptime, it makes it esaier to correlate logs.
service timestamp debug datetime localtime msec
service timestamp log datetime localtime msec
Similar Messages
-
No TACACS+ Administration Logging on ACS
I can get a csv file created for a TACACS+ Administration log/report [configured in Interface Logging of the ACS] but that log file is is empty. Help states that aaa accounting commands start-stop TACACS+ must appear in the access server or router configuration file in order to capture this day but my ASA 5520 will only allow;
aaa accounting command <server group> or <privilege>.
How do I get this ASA and Windows ACS to collect TACACS+ administration?
Note: My TACACS+ accounting does collect data on users ssh into the ASA.It's quite possible that you might be experiencing a know bug ( CSCsg97429 ) in ACS version 4.1.
Get this Patch: Acs-4.1.1.23.5-SW.zip. It fixes the TACACS+ Administration log/report problem.
You rigth in regards to the command. It is needed for your NAS to send accounting information to the ACS.
Here's an example of the commands:
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
Hope it helps. -
Cisco ASA 8.4 Command logging in ACS
Hello,
I have set up command authorisation on a ASA 8.4 firewall, and everything seems to work fine.
The only problem is that the commands executed on the device such as ssh or asdm access does not show up in the TACACS+ Administration log on de ACS 4.2 server.
While on switches and routers the commands executed does show up in the log.
I googled the web, but did not find any similar item for this issue.
Please help....You need to look at the latency between the initial connection after the pause and the beginning of when data is returned to the client. I will virtually guarantee the application is timing the user out before restarting the session.
Sent from Cisco Technical Support iPad App -
Tacacs+ Administration log Auditing
Hello ,
I am working as internal Auditor in Bank and i am having doubts about something on the logs generated by TACAS+ looking for someone assist on this.
My cocern is about Firewall changes which triggered on the Tacacs+ Administration, It shows you in terms of adding an IP address as Source to specifc group ( objects) as destination. What if I need more details about the destiation objects prviliages which I am adding this source to ,how can i identify these changes?Hi Mahmoud,
You can send accounting messages to the TACACS+ accounting server when you enter any command other than show commands at the CLI.
To enable command accounting, enter the following command:
hostname(config)# aaa accounting command [privilege level] server-tag
and you do have this command in your configuration. Now if command accounting is not working in your case then you need to tell me what version of Cisco ACS are you running on, if it is ACS 4.1.1.23 then there is a defect that has been fixed in patc 5
The issue that you are facing could be due to,
CSCsg97429 - TACACS+ Command Accounting does not work in ACS 4.1(1) Build 23.
aaa-server AuthOutbound protocol tacacs+
aaa authentication http console LOCAL
aaa authentication enable console TACACS+
aaa authentication serial console TACACS+
aaa authentication ssh console TACACS+
aaa authorization command TACACS+
aaa accounting command TACACS+
How to configure command accounting on ASA
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mgaccess.html#wp1059882
Hope this helps.
Let me know if you need further help on this.
Regards,
Jatin
Do rate helpful posts~ -
Tacacs+ accounting log question
I have a tacacs server running for accounting purpose only (so I use local authentiation). So I can collect all accounting logs only.
This is a snapshot for accounting part.
Tacacs accounting logs
<102> 2014-02-23 10:20:22 [10.254.1.2:22823] 02/23/2014 10:20:22 NAS_IP=10.254.1.x Port=443 rem_addr=10.254.50.129 User= brian Flags=Stop task_id=57 cmd=perfmon interval 10 service=shell elapsed_time=0
<102> 2014-02-23 10:23:51 [10.254.1.2:58167] 02/23/2014 10:23:51 NAS_IP=10.254.1.x Port=0 rem_addr=10.254.50.129 User=brian Flags=Stop task_id=58 cmd=configure term service=shell elapsed_time=0
<102> 2014-02-24 07:06:31 [10.254.1.2:19784] 02/24/2014 07:06:31 NAS_IP=10.254.1.x Port=443 rem_addr=10.254.51.166 User=mike Flags=Stop task_id=59 cmd=perfmon interval 10 service=shell elapsed_time=0
<102> 2014-02-24 07:07:53 [10.254.1.2:19254] 02/24/2014 07:07:53 NAS_IP=10.254.1.x Port=0 rem_addr=10.254.51.166 User=mike Flags=Stop task_id=5a cmd=configure term service=shell elapsed_time=0
As you can see, I can't see any command lines, such as show int ip b. I can see all routers and switches logs, but ASA logs shows only like above. No mather what commands I used, it only shows above logs. Do i miss something? I like to capture all commands lines when users use ASDM because we use always ASDM.
I used Free tacacs+ server, not ACS.
Thanks for your time.Hi Patrick,
In the ACS View Reports (Monitoring & Reports > Reports > Catalog > AAA Protocol) you can select the
radio button and by selecting 'Run' on the bottom run a specific query. Without that by default you will see only a report from one day.
For the 2nd question, yes the ACS View is designed to store that information, however if needed you can send the logs to an external syslog server or perfrom regular backups of the ACS View database.
Kind regards,
Pawel -
HI
We configured accoutnig in our network devices.But the commands users are typing is not showing in TACACS+ Accounting section.We r using ACS 4.1se and commands for accounting in devices are given below.
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
Please helpCommand accounting logs are stored in tacacs administration logs. Also there is a known issue on ver 4.1.1 and we need to apply patch ACS 4.1.1.23.5 to fix the issue.
Patch for appliance is available on
http://www.cisco.com/cgi-bin/tablebuild.pl/acs-soleng-3des
Patch name : ACS SE 4.1.1.23.5 accumulative patch
Patch for acs windows is available on
http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-3des
Patch Name : ACS 4.1.1.23.5 accumulative patch
Regards,
~JG
Do rate helpful posts -
Hi guys, i m using ACS 3.3 windows version, these are the commands
aaa accounting update periodic 1
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
but i m not getting all the show commands logged, i usually get logging of show running, show start-up, but no other show commands like show ip int brief and such, what is the reason ? how can i get all the exec commands logged ?
thanksOvais
The command that you have configured:
aaa accounting commands 15 default start-stop group tacacs+
will generate accounting records for the commands that are entered that require level 15 privilege (such as show run, show start, etc) but will not generate accounting records for commands which only require level 1 privilege (such as sh ip int brief, etc). If you also want these commands to generate accounting records then you should add this to your config:
aaa accounting commands 1 default start-stop group tacacs+
HTH
Rick -
error logging problem:
I would like to implement an error logger that will do the following tasks when a error/exception arrises:
- surpress the DacfErrorPopupLogger
- alert the user that an error has occured with a simplified popup (create a global listener then use the ErrorAttributes to create the text of the popup)
- log the error in a file with a timestamp and all error information
- later if the above works....i would like to add the error attributes (time stamp, error type) to a oracle object/ Jdev domain.
Questions:
What is the best technique to use....errorManager, error logger ...?? combination
How do i use the error manager to register listners for the errors?.
In the following code i am not sure how to access the ErrorsAttributes[] array that is returned by loggerReader.getErrors();
Any general tips places to find sample code on errorManager or associated interfaces, will be appreciated
I used the OutPutStreamLogger to write error information to a FileOutputStream then a loggerReader to get the error attributes from the file. The reason i went in this direction is because i found some smple code on the outputStream logger.
package DACVideo;
import oracle.dacf.util.errorloggers.*;
import oracle.dacf.util.errormanager.*;
import oracle.dacf.util.errorloggers.InputStreamLoggerReader.ErrorAttributes;
import java.io.*;
* A Class class.
* <P>
* @author Adam Maddox
public class ErrorLogger extends Object {
static OutputStreamLogger logger = null;
static InputStreamLoggerReader loggerReader = null;
public ErrorLogger() {
System.out.println("==============ErrorLogger Created==============");
//remove default error logger (popup logger)
ErrorManager.removeErrorLogger(ErrorManager.findLoggerByName(DacfErrorPopupLogger.NAME));
try
logger = new OutputStreamLogger(new FileOutputStream("out.dat"));
loggerReader = new InputStreamLoggerReader(new FileInputStream("out.dat"));
catch(java.io.IOException e)
System.err.println("Error!");
try
ErrorManager.addErrorLogger(logger);
catch(NameAlreadyRegisteredException e)
System.err.println("A Logger with this name is already registered.");
private void closeErrorLog()
//close the OutputStream, to force flushing
logger.closeOutputStream();
ErrorManager.removeErrorLogger(logger);
public static void showErrorLog()
ErrorAttributes[] errorArray = loggerReader.getErrors(); <<<<CANNOT GET ERROR ATTRIBUTES ??
nullJDev could you help??
-
dear members,
I have a log problem with my x2-02, only the last occurrence belonging to a certain contact (in the contacts book), is logged. When a new handling-occurence linked to this contact happened, only this last handling is logged (all the previous are deleted, not there anymore).
This was not the situation before, I did play a little bit through the menu and after that it happened. Of course I did already try the regular solutions, soft reset-hard reset, reinstalling the (latest software). But till now nothing did work.
Can someone assist on this
Greetings
Fiesta
hollanddear members
I would like to contribute the following, I noticed an other bug, which i think occured simultaneously/is linked together. When i go to contacts, and choose the option "View conversations" i see with certain persons, that there are also conversations (sms messages) not pertaining/belonging to that contact (belonging to more different contacts).
Does this bell ring some where?
greetings
fiesta -
SYSLOG LOGGING PROBLEMS !!!!
Hi ALl,
I am trying to configure a syslog server to log messages from the routers.
I am trying on the first router, and i issue the command :
LOGGING (syslog ip address)
So now the messges should be sent to the syslog server.
Now supposingly i want to capture the events when an access-list is met namely the DENY IP ANY ANY .... so i should issue the DENY IP ANY ANY LOG command right ??? the LOG keyword should force the router to log the event every time this is met. However i try to do illegal traffic to trigger the DENY IP ANY ANY LOG but it does not show anything logged in the show run, or on the syslog server.
I know the syslog works fine as it logs the messages
that i have configured the router from my ip address.
Is there something i am missing here ???
Please help ,
Thanks,
GeorgeHi,
What trap level have you set on the router??? After going in the configure terminal mode issue the command "logging trap 7" so that you'll get all the messages which are sent.
If would be better if you could post your config.
Hope it helps.
Please rate helpful posts.
Regards,
AbhisheK -
TACACs+ commands not dropping me into enable mode
Hi All,
I've just comfigured the following on a router running IOS 15. All my other devices are running the old tacacs commands but thought I'd try the new CLI version.
It works, e.g get prompted for username/password and authenticates against our AD Server (integrated with ACS4.2). I get into the router but into usermode.
My other devices drop me straight into Priv Mode. Only difference is the the new commands v the old commands but I can't see anything that is different in relation to putting me into Priv mode.
Any ideas?
aaa group server tacacs+ ABC_ACS
server name ABC_TAC
tacacs server ABC_TAC
address ipv4 172.27.10.10
key secretkey
aaa authentication login ACS_List group ABC_ACS line
aaa authorization exec ACS_List group ABC_ACS if-authenticated
aaa accounting exec ACS_List start-stop group ABC_ACS
aaa accounting commands 15 ACS_List start-stop group ABC_ACS
line vty 0 4
password test
authorization exec ACS_List
accounting commands 15 ACS_List
accounting exec ACS_List
login authentication ACS_List
length 0
transport input sshMake sure you defined the username with a static privilege level of 15 otherwise it will not be able to pass the enable authentication.
If ACS 5.x or higher go to the policy elements: Shell Profile and make sure you have one assigned for a static maximum privilege of 15 and most important that its applied into a access-policy rule -
Hello awsome community
I am trying to wrap my head around a possible configuration issue where I am creating a "rancid" account to auto log into a cisco switch (2950/2960) with restricted access. The problem is I cannot seem to restrict the access verry well, the rancid user has all the access it wants
Tacacs Config Snippit:
group = rancid {
default service = deny
service = exec {
priv-lvl = 15
cmd = show {
permit .*
cmd = exit {
permit .*
cmd = dir {
permit .*
cmd = write {
permit term
Cisco AAA Configuration:
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login console group tacacs+ local
aaa authentication enable default group tacacs+
aaa authorization console
aaa authorization exec default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
Is there something I am missing or not accuratly setting up to restrict access to *only* the commands listed in the Tacacs Configs?Found the issue \o/
I lacked some authorization commands, added the following fixed this issue:
aaa authorization config-commands
aaa authorization commands 1 default group tacacs+
aaa authorization commands 15 default group tacacs+ -
Pix command authorization problem
help required
i am trying to configure pix firewall command authorization using cisco
secure acs 4.2 and a pix 515 running 7.0(5) but have run into a problem
i cant get it to work!
i have included the pix firewall configuration below and have included
screen shots of the acs configuration as attachments
as you can see i can authenticate ok but that is as far as i can go
as soon as i try and use the enable command authorization fails
i cant even enter a password
i have created two shell command authorization sets
one called admins which is configured to allow all commands
and one called restricted which restrics me to only a few commands
if i apply the admins authorization set to the group where the user
resides i can authenticate and authorize and i have access to all
commands but if i apply the restrictd authorization set i get the
problem depicted below
i would appreciate it if someone could take a look and give me
some pointers as to where i am going wrong
regards
melvyn brown
interface ethernet0
nameif outside
ip address 110.1.1.1 255.255.255.0
speed 100
duplex full
no shut
interface ethernet1
nameif inside
ip address 192.168.8.2 255.255.255.0
speed 100
duplex full
no shut
route inside 192.168.7.0 255.255.255.0 192.168.8.1
route inside 192.168.3.0 255.255.255.0 192.168.8.1
aaa-server ACS1 protocol tacacs+
aaa-server ACS1 host 192.168.7.2
key cisco123
domain-name acme.com
crypto key generate rsa modulus 1024
telnet 192.168.3.2 255.255.255.255 inside
ssh 192.168.3.2 255.255.255.255 inside
aaa authentication enable console ACS1
aaa authentication serial console ACS1
aaa authentication ssh console ACS1
aaa authentication telnet console ACS1
aaa authorization command ACS1
Username: fred
Password: **********
Type help or '?' for a list of available commands.
pixfirewall> en
Command authorization failed
pixfirewall> ?
clear Reset functions
enable Turn on privileged commands
exit Exit from the EXEC
help Interactive help for commands
login Log in as a particular user
logout Exit from the EXEC
ping Send echo messages
quit Exit from the EXEC
show Show running system informationFixed it. It was one of those ID10T type errors. The user I was testing against was in in group1 on the ACS. Trouble is I was adding command authorizations to group0. Duh!
-
Process Chain/OS Command cp problem
Hello,
I am trying to execute a command similar to the following in an OS command in a process chain:
cp /path/filename*.txt /path/filenamexxx.txt
I know it's not a permissions problem.
This is the error message from the Process Chain Maintenance Log View:
cp: cannot access /path/filename*.txt: No such file or directory
External program terminated with exit code 1
Any help will be greatly appreciated.
Thanks,
Gary MartinsHi Gary,
Is this file(cp /path/filename*.txt /path/filenamexxx.txt) avaialble at perticular path...??
File is in application server or workstation(PC). If file is available in one application server and your Pchain running againest another application server, you may get this error. Plz check.
Hope it Helps
Srini -
Logging Problems on CSS11503 - please help
Hi,
1 of our CSS11503 is not functioning properly. Our ITO system is receiving "server down" messages for services but the "server up" message is not coming through.
We have 2 load balancers with identical config, the only difference I can see in them is the following
when I do a "show log-state", the load balancer that is not sending the server up messages has the log level set to "warning" were as the one that works ok is set to "debug".
I have stated in the config log level 7 for our ITO managment system but this value in "sh log-state" is still the same???
Any ideas on how to change this to debug on the css that is not sending the server up messages.
thanksThe UP message is generated at level '5'.
So that's what you need to change indeed.
Usually the problem is that the logging level stays stuck in '7' not '4'.
Are you certain that the command is there ?
What software version ?
The procedure to recover when stuck in level '7' is below.
You can give it a try.
-Reboot and interrupt the boot going into offDM.
-shift T (technicians menu).
-choose "1" for configure.
-then "3" for set logging flags.
-"2" for set logging level (set to level 4).
-then "r" until you're back to the main menu.
-reboot.
Gilles.
Maybe you are looking for
-
Stopping the full screen mode auto-advancing
(This was originally posted a week or so ago in what turned out to be the wrong forum. I can't move the thread, so I'm reposting it here.) I've been googling and searching for this for some time; the only other post I've found[*] with the same pro
-
Hi SDN'ers, My doubt is: Is it possible to dynamically add a text after the Approve/ Notify step in the workflow? I believe its not possible by using MDM workflow only . I have gone through a thread in which it is mentioned that its possible using Ja
-
How to locate the source code which populate the SO number?
Hi, For example: In T-code: VA01 Put your cusor on the screen field : Standard Order Then press F1, get the technical info of this field as below shows: Screen field VBAK-VBELN Program name SAPMV45A Screen no. 4001 So my question is, ho
-
I recently upgraded my system and originally set up my two WD360's to the Promise RAID controller (SER-3 and SER-4) I enabled "Onboard Promise IDE" in the BIOS. However when installing the operating system (WinXP Pro), there was an error message say
-
Using variable in dynamic list queries
How can we use a variable value like metadata value of the parent content in the dynamic list query? I tried something following ways but the query was not picking up the value of xCountries. dDocType <matches> `State` <AND> xCountries <matches> xCou