CS ACS- accounting and Xauth for vpn

mulugetash · ‎07-23-2007

1. i configured accounting on the cisco devices to the CS ACS. but the commands enterd in the devices adon't show up in the CS ACS accounting. how can i collect all the commands entered to the devices to be logged to the CS ACS?

2. i am configurig a PIX 525 IOS ver 6.3 for remote access VPN. i want an Xauth so that remote users (who are going to access some Solaris Servers through telnet and ssh) will be authenticated through the CS ACS. on the CS ACS, which can i use, the TACACS+ or RADIUS or both? and how?

Jagdeep Gambhir · ‎07-23-2007

Hi ,

1). Did you check tacacs admin accounting logs ? What is the ver of acs ?

2). You can use both , radius or tacacs,

http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/basclnt.html#wp1066294

Hope that helps

Regards,

~JG

mulugetash · ‎07-24-2007

1.yes i checked but what i get is the start and stop times, not the exact commands used.the ACS is ver 3.3

2.i will try the TACACS+

Jagdeep Gambhir · ‎07-24-2007

On which Cisco device you have set up command authorization ? Did you use radius or tacacs ?

Command author will work only with Tacacs.

Kindly rate help full posts.

regards,

~JG

mulugetash · ‎07-24-2007

normally what i was asking is the accounting service, just accounting the commands used on the devices.

for example i have cisco 3725 router ios vr 12.6.

i set up only authentication and almost all accounting (no authorization) commands on the router.the authentication works fine, the start-stop times work fine, but used commands are not captured.

i use TACACS+

Jagdeep Gambhir · ‎07-24-2007

Can you get me the accounting debugs

debug aaa accounting

Also are you sure acs ver is 3.3 ?

mulugetash · ‎07-24-2007

some debug info:

Jul 25 10:18:23.239: AAA/ACCT(00000012): Accouting method=tacacs+ (tacplus)

Jul 25 10:18:23.243: AAA/ACCT/CMD(00000012): STOP protocol reply PASS

Jul 25 10:18:23.243: AAA/ACCT/CMD(00000012): Cleaning up from Callback osr 0

Jul 25 10:18:23.243: AAA/ACCT/CMD(00000012) Record not present

Jul 25 10:18:23.243: AAA/ACCT/CMD(00000012) reccnt 2, csr FALSE, osr 0

Jul 25 10:18:27.275: AAA/ACCT/243(00000012): Pick method list 'default'

Jul 25 10:18:27.275: AAA/ACCT/SETMLIST(00000012): Handle 0, mlist 637D82C8, Name default

Jul 25 10:18:27.275: Getting session id for CMD(00000012) : db=63A92BA4

Jul 25 10:18:27.275: AAA/ACCT/CMD(00000012): add, count 3

Jul 25 10:18:27.275: AAA/ACCT/EVENT/(00000012): COMMAND

Jul 25 10:18:27.275: AAA/ACCT/CMD(00000012): Queueing record is COMMAND osr 1

Jul 25 10:18:27.275: AAA/ACCT/CMD(00000012): free_rec, count 2

Jul 25 10:18:27.275: AAA/ACCT/CMD(00000012): Setting session id 284 : db=63A92BA4

Jul 25 10:18:27.279: AAA/ACCT(00000012): Accouting method=tacacs+ (tacplus)

Jul 25 10:18:27.283: AAA/ACCT/CMD(00000012): STOP protocol reply PASS

Jul 25 10:18:27.283: AAA/ACCT/CMD(00000012): Cleaning up from Callback osr 0

Jul 25 10:18:27.283: AAA/ACCT/CMD(00000012) Record not present

Jul 25 10:18:27.283: AAA/ACCT/CMD(00000012) reccnt 2, csr FALSE, osr 0exit

the ACS ver is 3.3