Is there a problem with accounting and ACS 4.1

Answered Question

Good day all,

I just finished installing a brand new server with ACS 4.1.

When this new ACS 4.1 installation is approved, I will retire my old server that has ACS 3.1.

At this point the only problem that I have with ACS 4.1 is with accounting.

For example:

I used a test-router with all the necessary config pointing to my old ACS 3.1. Everything is working fine (authentication and accounting). If I enter a command on the test-router it is log on the ACS 3.1.

Now, if I modify the test-router to point to the new ACS 4.1, the ACS 4.1 will authenticate the test-router properly, but will not log any command I enter in the test-router. I did a capture between the test-router and ACS 4.1 and the test-router is sending accounting statement to ACS 4.1.

There is a lot a different config from ACS 3.1 to 4.1, but as far as I can see the config on both ACS is as similar as possible.

Is there anybody out there that was able to have ACS 4.1 to process accounting properly?

Any idea will help.

Thanks

Frank

Here my config:

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication login NO-AUTH none

aaa authorization exec default group tacacs+ local

aaa authorization commands 1 start-stop group tacacs+

aaa authorization commands 15 start-stop group tacacs+

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs

!

tacacs-server host 192.168.100.16 key *******

(the above command is the only command that I change for pointing to ACS 3.1 or ACS 4.1)

tacacs-server directed-request

I have this problem too.
0 votes
Correct Answer by amrkrish about 9 years 7 months ago

Please use the following link. There is 4.1 accumulative patch which contains the bug fix.

http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-3des

Dont forget to download the readme text file also.

Rate me if this helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
darpotter Wed, 02/07/2007 - 00:02

DO you know if the accounting is definately arriving at the 4.1 server?

If you dont have a sniffer and you have the SW ACS you can do this

>net stop cstacacs

>cstacacs -z -e

You'll see all the T+ packets dumped to the command prompt window. If stuff is arriving you know it has to be an ACS issue - most likely config.

Darran

amrkrish Wed, 02/07/2007 - 03:19

ACS 4.1.1.23 build has a bug on TACACS command accounting. The patch for this has been released and is available on CCO.

Actions

This Discussion