AAA TACACS+ Accounting - CLI issue by user not show up in ACS report.

Answered Question

May I know why the CLI coommand use by user is not show on the ACS TACACS Accounting report. The duration of time is shown, but I wanted also to log what commands is issued by user.


Wha is missing here ?


aaa authentication login VTY group P1_ACS local enable

aaa authorization exec default group P1_ACS local if-authenticated

aaa authorization exec CONSOLE none

aaa accounting exec default start-stop group P1_ACS

aaa accounting commands 5 default start-stop group P1_ACS

aaa accounting commands 15 default start-stop group P1_ACS

Correct Answer by cisco24x7 about 9 years 1 month ago

Command accounting logs are stroed in tacacs administration logs.

Also there is a known issue on ver 4.1.1 and we need to

apply patch ACS 4.1.1.23.5 to fix the issue.


Patch for appliance is available on


http://www.cisco.com/cgi-bin/tablebuild.pl/acs-soleng-3des


Patch name : ACS SE 4.1.1.23.5 accumulative patch


Patch for acs windows is available on

http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-3des


Patch Name : ACS 4.1.1.23.5 accumulative patch


CCIE Security

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Richard Burts Sat, 03/15/2008 - 07:20
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Choh


I believe that you are seeing the duration of time based on this line of the configuration:

aaa accounting exec default start-stop group P1_ACS


Based on this line of the config I would expect that you would see the privilege level commands that someone issued:

aaa accounting commands 15 default start-stop group P1_ACS


If you want to see user level commands then I suggest that you add this to the configuration:

aaa accounting commands 1 default start-stop group P1_ACS


HTH


Rick

cisco24x7 Sat, 03/15/2008 - 18:29
User Badges:
  • Silver, 250 points or more

You mean like this:


[[email protected] root]# tail -f /var/log/tac_plus.log

Sat Mar 15 22:22:52 2008 192.168.1.3 cciesec tty66 192.168.15.99 start task_id=204 timezo ne=UTC service=shell start_time=1205630594

Sat Mar 15 22:22:53 2008 192.168.1.3 cciesec tty66 192.168.15.99 stop task_id=204 timezo ne=UTC service=shell start_time=1205630594 priv-lvl=0 cmd=enable

Sat Mar 15 22:22:56 2008 192.168.1.3 cciesec tty66 192.168.15.99 stop task_id=205 timezo ne=UTC service=shell start_time=1205630598 priv-lvl=15 cmd=configure terminal

Sat Mar 15 22:22:59 2008 192.168.1.3 cciesec tty66 192.168.15.99 stop task_id=206 timezo ne=UTC service=shell start_time=1205630601 priv-lvl=15 cmd=interface Loopback 0

Sat Mar 15 22:23:00 2008 192.168.1.3 cciesec tty66 192.168.15.99 stop task_id=207 timezo ne=UTC service=shell start_time=1205630602 priv-lvl=15 cmd=shutdown

Sat Mar 15 22:23:02 2008 192.168.1.3 cciesec tty66 192.168.15.99 stop task_id=208 timezo ne=UTC service=shell start_time=1205630603 priv-lvl=15 cmd=no shutdown

Sat Mar 15 22:23:06 2008 192.168.1.3 cciesec tty66 192.168.15.99 stop task_id=209 timezo ne=UTC service=shell start_time=1205630608 priv-lvl=0 cmd=exit

Sat Mar 15 22:23:06 2008 192.168.1.3 cciesec tty66 192.168.15.99 stop task_id=204 timezo ne=UTC service=shell start_time=1205630594 disc-cause=1 disc-cause-ext=9 pre-session-time=3 e lapsed_time=14


Your configuration is good. The reason you

are not seeing commands issued by user(s) is

because, I think, there is a bug in the Cisco

ACS. I think there is a patch for this.

Search the forum for my previous and you

will see it.


Real network engineers, in general, hate Cisco ACS or anything running on Microsoft OS platform. The product is not very

reliable. You should look at Cisco Freeware

tacacs on Linux platforms.


CCIE Security

Correct Answer
cisco24x7 Sat, 03/15/2008 - 19:46
User Badges:
  • Silver, 250 points or more

Command accounting logs are stroed in tacacs administration logs.

Also there is a known issue on ver 4.1.1 and we need to

apply patch ACS 4.1.1.23.5 to fix the issue.


Patch for appliance is available on


http://www.cisco.com/cgi-bin/tablebuild.pl/acs-soleng-3des


Patch name : ACS SE 4.1.1.23.5 accumulative patch


Patch for acs windows is available on

http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-3des


Patch Name : ACS 4.1.1.23.5 accumulative patch


CCIE Security

Jagdeep Gambhir Sun, 03/16/2008 - 18:45
User Badges:
  • Red, 2250 points or more

ACS software's are not listed on CCO. You need to open a TAC to get one.



Regards,

~JG

Wantser1981_2 Mon, 04/07/2008 - 06:14
User Badges:

Hi,

I am having this issue also and I have installed the relevent patch. I still do not see the commands entered in the log. Router debugs show that they are sent successfully and wireshark on the server shows that they are recieved. Once the patch is unzipped into the directory and the serivces restarted, is there anything else you need to do?


Thanks

Jagdeep Gambhir Tue, 04/08/2008 - 05:35
User Badges:
  • Red, 2250 points or more

Make sure you are checking tacacs administrator logs and not tacacs accounting.


Command accounting is logged in tacacs administrator.



Regards,

~JG


Wantser1981_2 Tue, 04/08/2008 - 06:31
User Badges:

Thanks JG.


Cant believe I was looking in the wrong place.

However, in my defence this only started working after curing an error on the server nic, found when running wireshark (ethereal)on the server.

Although the switch debug accounting was showing command accounting logs successfully being sent to the server there were none appearing in any log (I did check TACACS+ Administration too).

This was due to the server having "Checksum offload" enabled on the nic. This needs to be disabled for the processing of these command accounting logs other wise they are ignored by the server.


Andy


Actions

This Discussion