Cisco ACS SE TACACS+ Accounting fails

Answered Question
Sep 12th, 2007
User Badges:

Hello,


I am running Cisco ACS SE 4.1.23.5. My problem is that the ACS doesn't log accounting from remote switches. I have configured the following accounting commands:

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+


When I enable aaa accounting debugging, I get the following logs on the switch;


001091: Sep 12 12:06:06.464 BST: AAA/ACCT: user johndoe, acct type 3 (2684940942): Method=tacacs+ (tacacs+)

001092: Sep 12 12:06:06.665 BST: TAC+: (2684940942): received acct response status = SUCCESS

001093: Sep 12 12:06:11.128 BST: AAA/ACCT/CMD: User johndoe, Port tty2, Priv 15:

"show running-config <cr>"

001094: Sep 12 12:06:11.128 BST: AAA/ACCT/CMD: Found list "default"

001095: Sep 12 12:06:11.346 BST: AAA/ACCT: user johndoe, acct type 3 (1583033889): Method=tacacs+ (tacacs+)

001096: Sep 12 12:06:12.000 BST: TAC+: (1583033889): received acct response status = SUCCESS

001097: Sep 12 12:08:16.303 BST: AAA/ACCT/CMD: User johndoe, Port tty2, Priv 15:

"configure terminal <cr>"

001098: Sep 12 12:08:16.303 BST: AAA/ACCT/CMD: Found list "default"

001099: Sep 12 12:08:16.303 BST: AAA/ACCT: user johndoe, acct type 3 (1098049616): Method=tacacs+ (tacacs+)

001100: Sep 12 12:08:16.504 BST: TAC+: (1098049616): received acct response status = SUCCESS

001101: Sep 12 12:08:29.884 BST: AAA/ACCT/CMD: User johndoe, Port tty2, Priv 15:


It seems the switch is getting a response but the ACS doesn't log it. I have upgraded the ACS to the latest patch (4.1.23.5) which is supposed to resolve this known bug.


Is there something I am missing?


Thanks.

Edd

Correct Answer by Premdeep Banga about 9 years 8 months ago

And what do u get in Tacacs Administration logs?


Regards,

Prem

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
edwardwaithaka Wed, 09/12/2007 - 06:22
User Badges:

Hi JD,


I have tried to rollback and re-patch the ACS but it still doesn't log accounting commands.


This is the only thing that is logged in TACACS Accounting;


Date Time User-Name Group-Name Caller-Id Acct-Flags elapsed_time service bytes_in bytes_out paks_in paks_out task_id addr NAS-Portname NAS-IP-Address cmd

12/09/2007 17:17:53 johndoe IT NET ADMINS 10.1.0.60 stop 612 shell .. .. .. .. 64 .. tty1 10.1.1.3 ..

12/09/2007 17:07:42 johndoe IT NET ADMINS 10.1.0.60 start .. shell .. .. .. .. 64 .. tty1 10.1.1.3 ..


??

Correct Answer
Premdeep Banga Wed, 09/12/2007 - 06:25
User Badges:
  • Gold, 750 points or more

And what do u get in Tacacs Administration logs?


Regards,

Prem

Jagdeep Gambhir Wed, 09/12/2007 - 06:29
User Badges:
  • Red, 2250 points or more

As prem said, you will get command accounting logs in tacacs administration logs.



Regards,

~JG

edwardwaithaka Wed, 09/12/2007 - 07:59
User Badges:

Hi Prem,


All along I have been looking in the wrong section. From the time I applied the patch, accounting has been logged in the Tacacs+ Administration section. The link "Tacacs+ Accounting" is a bit mis-leading.


Thanks.

p-allen Mon, 09/24/2007 - 08:19
User Badges:

we are running Cisco Secure ACS Windows ver 4.1 and not seeing commands in the accounting. What version should we upgrade to fix this issue. if an upgrade will fix the issue.

Actions

This Discussion