cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
663
Views
10
Helpful
7
Replies

Cisco ACS SE TACACS+ Accounting fails

edwardwaithaka
Level 1
Level 1

Hello,

I am running Cisco ACS SE 4.1.23.5. My problem is that the ACS doesn't log accounting from remote switches. I have configured the following accounting commands:

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

When I enable aaa accounting debugging, I get the following logs on the switch;

001091: Sep 12 12:06:06.464 BST: AAA/ACCT: user johndoe, acct type 3 (2684940942): Method=tacacs+ (tacacs+)

001092: Sep 12 12:06:06.665 BST: TAC+: (2684940942): received acct response status = SUCCESS

001093: Sep 12 12:06:11.128 BST: AAA/ACCT/CMD: User johndoe, Port tty2, Priv 15:

"show running-config <cr>"

001094: Sep 12 12:06:11.128 BST: AAA/ACCT/CMD: Found list "default"

001095: Sep 12 12:06:11.346 BST: AAA/ACCT: user johndoe, acct type 3 (1583033889): Method=tacacs+ (tacacs+)

001096: Sep 12 12:06:12.000 BST: TAC+: (1583033889): received acct response status = SUCCESS

001097: Sep 12 12:08:16.303 BST: AAA/ACCT/CMD: User johndoe, Port tty2, Priv 15:

"configure terminal <cr>"

001098: Sep 12 12:08:16.303 BST: AAA/ACCT/CMD: Found list "default"

001099: Sep 12 12:08:16.303 BST: AAA/ACCT: user johndoe, acct type 3 (1098049616): Method=tacacs+ (tacacs+)

001100: Sep 12 12:08:16.504 BST: TAC+: (1098049616): received acct response status = SUCCESS

001101: Sep 12 12:08:29.884 BST: AAA/ACCT/CMD: User johndoe, Port tty2, Priv 15:

It seems the switch is getting a response but the ACS doesn't log it. I have upgraded the ACS to the latest patch (4.1.23.5) which is supposed to resolve this known bug.

Is there something I am missing?

Thanks.

Edd

1 Accepted Solution

Accepted Solutions

And what do u get in Tacacs Administration logs?

Regards,

Prem

View solution in original post

7 Replies 7

Jagdeep Gambhir
Level 10
Level 10

Ed,

I would suggest you to rollback patch from console and apply it again.

It could be that patch is not applied proerply.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.1/installation/guide/solution_engine/cliap.html#wp1206334

Regards,

~JG

Hi JD,

I have tried to rollback and re-patch the ACS but it still doesn't log accounting commands.

This is the only thing that is logged in TACACS Accounting;

Date Time User-Name Group-Name Caller-Id Acct-Flags elapsed_time service bytes_in bytes_out paks_in paks_out task_id addr NAS-Portname NAS-IP-Address cmd

12/09/2007 17:17:53 johndoe IT NET ADMINS 10.1.0.60 stop 612 shell .. .. .. .. 64 .. tty1 10.1.1.3 ..

12/09/2007 17:07:42 johndoe IT NET ADMINS 10.1.0.60 start .. shell .. .. .. .. 64 .. tty1 10.1.1.3 ..

??

And what do u get in Tacacs Administration logs?

Regards,

Prem

As prem said, you will get command accounting logs in tacacs administration logs.

Regards,

~JG

Hi Prem,

All along I have been looking in the wrong section. From the time I applied the patch, accounting has been logged in the Tacacs+ Administration section. The link "Tacacs+ Accounting" is a bit mis-leading.

Thanks.

we are running Cisco Secure ACS Windows ver 4.1 and not seeing commands in the accounting. What version should we upgrade to fix this issue. if an upgrade will fix the issue.

upgrade to version 4.1.4

OR

Apply the patch to fix the issue,

ACS SE:

http://www.cisco.com/cgi-bin/tablebuild.pl/acs-soleng-3des

- applACS-4.1.1.23.5.zip

- applACS-4.1.1.23.5.txt

ACS for windows:

http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-3des

- Acs-4.1.1.23.5-SW.zip

- Acs-4.1.1.23.5-Readme.txt

Regards,

Prem

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: