Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1179
Views
0
Helpful
6
Replies

Logging on switch

andy-gerace
Level 1
Level 1

‎09-28-2007 06:08 AM

I want to log all commands entered on a switch, however I can't seem to find a command to do that. Is this possible? Or am I stuck with the generic "configured from console by USERID" messages as the most detail I can get?

Labels:
0 Helpful
6 Replies 6

yjdabear
VIP Alumni
VIP Alumni

‎09-28-2007 06:32 AM

Look into AAA solutions such as Cisco Secure ACS:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/index.html

0 Helpful

andy-gerace
Level 1
Level 1
In response to yjdabear

‎09-28-2007 07:16 AM

I am using ACS, however I am not sure how I would set that up to log commands.

I have tried to add this:

aaa accounting commands 15 default start-stop group tacacs+

but that does not seem to work.

Any thoughts?

0 Helpful

yjdabear
VIP Alumni
VIP Alumni
In response to andy-gerace

‎09-28-2007 07:22 AM

By "that does not seem to work" you mean you can't "go to the Reports part of ACS. Pull up the TACACS+ Administration report. (TACACS+ Accounting tracks changes you made to ACS itself). ... Note that you can clearly see who issued each command, when they did it, and what the command was"?

Does your AAA config look similar to this?

aaa new-model

aaa authentication login default group tacacs+ line enable

aaa authentication enable default group tacacs+ enable line

aaa authorization exec default if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated none

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

!

ip tacacs source-interface Loopback0

!

tacacs-server host 10.20.1.20 key pleasetrustme

tacacs-server directed-request

0 Helpful

andy-gerace
Level 1
Level 1
In response to yjdabear

‎09-28-2007 07:43 AM

By does not seem to work - yes, I go into the ACS under Reports - in TACACS+ Administration, there is nothing. In TACACS+ Accounting, there is info, but nothing relating to commands issued.

I have verified that the there is a check in the system control for logging.

I have this for AAA config:

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization console

aaa authorization exec default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

tacacs-server host 1.2.3.4 key the_key

tacacs-server host 1.2.3.5 key the_key

tacacs-server directed-request

radius-server source-ports 1645-1646

I am obviously missing something... thanks for your input!

0 Helpful

yjdabear
VIP Alumni
VIP Alumni
In response to andy-gerace

‎09-28-2007 09:44 AM

The documentation makes me suspect "aaa authorization commands 1 default group tacacs+ if-authenticated none" is a pre-requisite for "aaa accounting commands 15 default start-stop group tacacs+" to start logging commands issued. In other words, commands Authorization has to be set up (on both the router and ACS) before commands Accounting takes place, as far as Cisco Secure ACS is concerned. So you'd need to configure/authorize on the ACS what commands that particular user can execute.

0 Helpful

andy-gerace
Level 1
Level 1
In response to yjdabear

‎10-04-2007 07:09 AM

Apparently, I needed a patch (applACS-4.1.1.23.5.zip) for my ACS server for this to work. Once I applied that, the TACACS+ Administration report populated.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents