Logging on switch

Unanswered Question
Sep 28th, 2007

I want to log all commands entered on a switch, however I can't seem to find a command to do that. Is this possible? Or am I stuck with the generic "configured from console by USERID" messages as the most detail I can get?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
andy-gerace Fri, 09/28/2007 - 07:16

I am using ACS, however I am not sure how I would set that up to log commands.

I have tried to add this:

aaa accounting commands 15 default start-stop group tacacs+

but that does not seem to work.

Any thoughts?

yjdabear Fri, 09/28/2007 - 07:22

By "that does not seem to work" you mean you can't "go to the Reports part of ACS. Pull up the TACACS+ Administration report. (TACACS+ Accounting tracks changes you made to ACS itself). ... Note that you can clearly see who issued each command, when they did it, and what the command was"?

Does your AAA config look similar to this?

aaa new-model

aaa authentication login default group tacacs+ line enable

aaa authentication enable default group tacacs+ enable line

aaa authorization exec default if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated none

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

!

ip tacacs source-interface Loopback0

!

tacacs-server host 10.20.1.20 key pleasetrustme

tacacs-server directed-request

andy-gerace Fri, 09/28/2007 - 07:43

By does not seem to work - yes, I go into the ACS under Reports - in TACACS+ Administration, there is nothing. In TACACS+ Accounting, there is info, but nothing relating to commands issued.

I have verified that the there is a check in the system control for logging.

I have this for AAA config:

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization console

aaa authorization exec default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

tacacs-server host 1.2.3.4 key the_key

tacacs-server host 1.2.3.5 key the_key

tacacs-server directed-request

radius-server source-ports 1645-1646

I am obviously missing something... thanks for your input!

yjdabear Fri, 09/28/2007 - 09:44

The documentation makes me suspect "aaa authorization commands 1 default group tacacs+ if-authenticated none" is a pre-requisite for "aaa accounting commands 15 default start-stop group tacacs+" to start logging commands issued. In other words, commands Authorization has to be set up (on both the router and ACS) before commands Accounting takes place, as far as Cisco Secure ACS is concerned. So you'd need to configure/authorize on the ACS what commands that particular user can execute.

andy-gerace Thu, 10/04/2007 - 07:09

Apparently, I needed a patch (applACS-4.1.1.23.5.zip) for my ACS server for this to work. Once I applied that, the TACACS+ Administration report populated.

Actions

This Discussion