AAA Accounting Commands

Unanswered Question
May 29th, 2007

I have just started logging AAA accounting commands on my ACS. I am able to view all commands entered without any trouble. I would like to NOT see commands entered from one particular source. I have an IDS device that shuns to a router. The shunning frequency causes the ACS TACACS+ admin report to become full and unusable. Any ideas on how to exempt commands issued by the IDS?

I have considered setting up multiple vty line configurations. Set up a vty 0 0 and vty 1 4. Configure the vty 0 0 to use something other than the 'default' AAA group. This, of course, assumes that the IDS will always use vty 0 and everyone else will use vty 1 - 4.

Thanks, Rick

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Richard Burts Tue, 05/29/2007 - 09:43

Rick

Since assignment of vty is generally first come first served I believe that the assumption that IDS will always be vty 0 and others on non 0 vty is dangerous. There is a way to arrange this, if you can assume different access methods for IDS and for other users (IDS uses telnet and other users use SSH, or something like that). Then you could specify transport input on vty 0 and transport input on vty 1 4.

HTH

Rick

rmeans Wed, 05/30/2007 - 09:32

I think I will apply an access-class to vty 0 0 that permits only the IDS device. VTY 1 4 will allow other users. VTY 0 0 will also get a unique AAA group (not default). The IDS is typically logged into the router all of the time. So for the most part, any user access to the router will always go to vty 1.

darpotter Wed, 05/30/2007 - 00:32

Give extraxi aaa-reports! a try (free trial version available)

We offer loads of great canned reports for device admin.. and more importantly you can filter out stuff you dont want during import.

Once the CSVs are imported we also have a visual query builder for drilling down into your data - with the results exportable to word/excel/html etc.

Our csvsync utility can also harvest CSV logs from any number of ACS servers of any version and type (sw & appliance)

We are a Cisco Technology Partner and aaa-reports! is tested "Cisco Compatible"

Darran

Actions

This Discussion