No TACACS+ Administration Logging on ACS

Unanswered Question
Jan 30th, 2008

I can get a csv file created for a TACACS+ Administration log/report [configured in Interface Logging of the ACS] but that log file is is empty. Help states that aaa accounting commands start-stop TACACS+ must appear in the access server or router configuration file in order to capture this day but my ASA 5520 will only allow;

aaa accounting command <server group> or <privilege>.

How do I get this ASA and Windows ACS to collect TACACS+ administration?

Note: My TACACS+ accounting does collect data on users ssh into the ASA.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
pvanvuuren Wed, 01/30/2008 - 23:10

It's quite possible that you might be experiencing a know bug ( CSCsg97429 ) in ACS version 4.1.

Get this Patch: Acs-4.1.1.23.5-SW.zip. It fixes the TACACS+ Administration log/report problem.

You rigth in regards to the command. It is needed for your NAS to send accounting information to the ACS.

Here's an example of the commands:

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

Hope it helps.

mlenco Thu, 01/31/2008 - 15:55

That worked on one ASA but I also installed a secondary Authentication utility. I have a second ASA with the new patch loaded but no utility. I will look at it Friday am and see if has entries in the log. If not I will installed the utility. We'll see

Actions

This Discussion