Logging on switch

Unanswered Question
Sep 28th, 2007
User Badges:

I want to log all commands entered on a switch, however I can't seem to find a command to do that. Is this possible? Or am I stuck with the generic "configured from console by USERID" messages as the most detail I can get?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
andy-gerace Fri, 09/28/2007 - 07:16
User Badges:

I am using ACS, however I am not sure how I would set that up to log commands.

I have tried to add this:

aaa accounting commands 15 default start-stop group tacacs+


but that does not seem to work.


Any thoughts?

yjdabear Fri, 09/28/2007 - 07:22
User Badges:
  • Gold, 750 points or more

By "that does not seem to work" you mean you can't "go to the Reports part of ACS. Pull up the TACACS+ Administration report. (TACACS+ Accounting tracks changes you made to ACS itself). ... Note that you can clearly see who issued each command, when they did it, and what the command was"?


Does your AAA config look similar to this?


aaa new-model

aaa authentication login default group tacacs+ line enable

aaa authentication enable default group tacacs+ enable line

aaa authorization exec default if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated none

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

!

ip tacacs source-interface Loopback0

!

tacacs-server host 10.20.1.20 key pleasetrustme

tacacs-server directed-request




andy-gerace Fri, 09/28/2007 - 07:43
User Badges:

By does not seem to work - yes, I go into the ACS under Reports - in TACACS+ Administration, there is nothing. In TACACS+ Accounting, there is info, but nothing relating to commands issued.


I have verified that the there is a check in the system control for logging.


I have this for AAA config:

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization console

aaa authorization exec default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+


tacacs-server host 1.2.3.4 key the_key

tacacs-server host 1.2.3.5 key the_key

tacacs-server directed-request

radius-server source-ports 1645-1646



I am obviously missing something... thanks for your input!




yjdabear Fri, 09/28/2007 - 09:44
User Badges:
  • Gold, 750 points or more

The documentation makes me suspect "aaa authorization commands 1 default group tacacs+ if-authenticated none" is a pre-requisite for "aaa accounting commands 15 default start-stop group tacacs+" to start logging commands issued. In other words, commands Authorization has to be set up (on both the router and ACS) before commands Accounting takes place, as far as Cisco Secure ACS is concerned. So you'd need to configure/authorize on the ACS what commands that particular user can execute.

andy-gerace Thu, 10/04/2007 - 07:09
User Badges:

Apparently, I needed a patch (applACS-4.1.1.23.5.zip) for my ACS server for this to work. Once I applied that, the TACACS+ Administration report populated.



Actions

This Discussion