No TACACS+ Administration Logging on ACS

Unanswered Question
Jan 30th, 2008
User Badges:

I can get a csv file created for a TACACS+ Administration log/report [configured in Interface Logging of the ACS] but that log file is is empty. Help states that aaa accounting commands start-stop TACACS+ must appear in the access server or router configuration file in order to capture this day but my ASA 5520 will only allow;

aaa accounting command <server group> or <privilege>.

How do I get this ASA and Windows ACS to collect TACACS+ administration?

Note: My TACACS+ accounting does collect data on users ssh into the ASA.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
pvanvuuren Wed, 01/30/2008 - 23:10
User Badges:
  • Bronze, 100 points or more

It's quite possible that you might be experiencing a know bug ( CSCsg97429 ) in ACS version 4.1.

Get this Patch: It fixes the TACACS+ Administration log/report problem.

You rigth in regards to the command. It is needed for your NAS to send accounting information to the ACS.

Here's an example of the commands:

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

Hope it helps.

mlenco Thu, 01/31/2008 - 15:55
User Badges:

That worked on one ASA but I also installed a secondary Authentication utility. I have a second ASA with the new patch loaded but no utility. I will look at it Friday am and see if has entries in the log. If not I will installed the utility. We'll see

pvanvuuren Wed, 02/06/2008 - 08:32
User Badges:
  • Bronze, 100 points or more

Did it work eventually.?


This Discussion