Question about usage of aaa accounting commands

Unanswered Question
Mar 1st, 2007

Hi everyone,

I have the problem that Cisco routers and switches do not send some accounting command

information to ACS.

Accounting commands do not send to ACS are "show log" and "show version".

Accounting commands send to ACS are "show runn", "conf t" and "debug"

The configuration of routers and switches is the following

----------

aaa new-model

aaa authentication login default group tacacs+ line

aaa authorization commands 15 default group tacacs+ none

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

tacacs-server host xxx.xxx.xxx.xxx key yyyy

----------

I think the commands do not send to ACS are privilege level 1 command and the commands

send to ACS are privilege level 15 command.

So I need to additional aaa accounting command below to get routers and switches send level 1

command to ACS, because the "15" of "aaa accounting commands 15" does not include level 1

so need to configure "aaa accounting commands 1" for level 1 commands.

aaa accounting commands 1 default start-stop group tacacs+

Is my understanding correct ?

Your information would be greatly appreciated.

Best regards,

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
daviddtran Thu, 03/01/2007 - 03:51

Hi,

plese do this and the router will send

everything to the ACS server, except

whatever you are doing to the router in http:

aaa new-model

aaa authentication login notac none

aaa authentication login VTY group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization console

aaa authorization config-commands

aaa authorization exec notac none

aaa authorization exec VTY group tacacs+ if-authenticated none

aaa authorization commands 0 VTY group tacacs+ if-authenticated none

aaa authorization commands 1 VTY group tacacs+ if-authenticated none

aaa authorization commands 15 VTY group tacacs+ if-authenticated none

aaa authorization network VTY group tacacs+ if-authenticated none

aaa accounting exec VTY start-stop group tacacs+

aaa accounting commands 0 VTY start-stop group tacacs+

aaa accounting commands 1 VTY start-stop group tacacs+

aaa accounting commands 15 VTY start-stop group tacacs+

aaa accounting network VTY start-stop group tacacs+

aaa accounting connection VTY start-stop group tacacs+

aaa session-id common

ip http authentication aaa login-authentication VTY

ip http authentication aaa exec-authorization VTY

tacacs-server host 192.168.15.10 key 7 1446405858517C

tacacs-server directed-request

line con 0

exec-timeout 0 0

authorization exec notac

accounting commands 0 VTY

accounting commands 1 VTY

accounting commands 15 VTY

accounting exec VTY

logging synchronous

login authentication notac

line aux 0

session-timeout 35791

exec-timeout 35791 23

authorization exec notac

accounting commands 0 VTY

accounting commands 1 VTY

accounting commands 15 VTY

accounting exec VTY

login authentication notac

transport input all

line vty 0

exec-timeout 0 0

authorization commands 0 VTY

authorization commands 1 VTY

authorization commands 15 VTY

authorization exec VTY

accounting commands 0 VTY

accounting commands 1 VTY

accounting commands 15 VTY

accounting exec VTY

login authentication VTY

David

CCIE Security

Vivek Santuka Thu, 03/01/2007 - 05:57

Hi,

What you mentioned is correct.

Since you did not have level 1 command accounting enabled "show log" etc did not get sent to the ACS.

Adding level 1 accounting would solve the problem.

Regards,

Vivek

snakayama Thu, 03/01/2007 - 16:36

Hi all,

Thank you very much for your reply.

I understand it !

Best regards,

Actions

This Discussion