Solved: AAA TACACS+ Accounting - CLI issue by user not show up in ACS report.

tckoon · ‎03-14-2008

May I know why the CLI coommand use by user is not show on the ACS TACACS Accounting report. The duration of time is shown, but I wanted also to log what commands is issued by user.

Wha is missing here ?

aaa authentication login VTY group P1_ACS local enable

aaa authorization exec default group P1_ACS local if-authenticated

aaa authorization exec CONSOLE none

aaa accounting exec default start-stop group P1_ACS

aaa accounting commands 5 default start-stop group P1_ACS

aaa accounting commands 15 default start-stop group P1_ACS

cisco24x7 · ‎03-15-2008

Command accounting logs are stroed in tacacs administration logs.

Also there is a known issue on ver 4.1.1 and we need to

apply patch ACS 4.1.1.23.5 to fix the issue.

Patch for appliance is available on

http://www.cisco.com/cgi-bin/tablebuild.pl/acs-soleng-3des

Patch name : ACS SE 4.1.1.23.5 accumulative patch

Patch for acs windows is available on

http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-3des

Patch Name : ACS 4.1.1.23.5 accumulative patch

CCIE Security

View solution in original post

Richard Burts · ‎03-15-2008

Choh

I believe that you are seeing the duration of time based on this line of the configuration:

aaa accounting exec default start-stop group P1_ACS

Based on this line of the config I would expect that you would see the privilege level commands that someone issued:

aaa accounting commands 15 default start-stop group P1_ACS

If you want to see user level commands then I suggest that you add this to the configuration:

aaa accounting commands 1 default start-stop group P1_ACS

HTH

Rick

HTH

Rick

tckoon · ‎03-15-2008

Hi Rick,

The problem I have here is I login as privilege 15 user, then perform some tasks on router. But when I logout, the ACS TACACS account only showing the duration, the cmd that issued by user is not shown under the "cmd" column.

Thanks

cisco24x7 · ‎03-15-2008

You mean like this:

[root@LinuxES root]# tail -f /var/log/tac_plus.log

Sat Mar 15 22:22:52 2008 192.168.1.3 cciesec tty66 192.168.15.99 start task_id=204 timezo ne=UTC service=shell start_time=1205630594

Sat Mar 15 22:22:53 2008 192.168.1.3 cciesec tty66 192.168.15.99 stop task_id=204 timezo ne=UTC service=shell start_time=1205630594 priv-lvl=0 cmd=enable

Sat Mar 15 22:22:56 2008 192.168.1.3 cciesec tty66 192.168.15.99 stop task_id=205 timezo ne=UTC service=shell start_time=1205630598 priv-lvl=15 cmd=configure terminal

Sat Mar 15 22:22:59 2008 192.168.1.3 cciesec tty66 192.168.15.99 stop task_id=206 timezo ne=UTC service=shell start_time=1205630601 priv-lvl=15 cmd=interface Loopback 0

Sat Mar 15 22:23:00 2008 192.168.1.3 cciesec tty66 192.168.15.99 stop task_id=207 timezo ne=UTC service=shell start_time=1205630602 priv-lvl=15 cmd=shutdown

Sat Mar 15 22:23:02 2008 192.168.1.3 cciesec tty66 192.168.15.99 stop task_id=208 timezo ne=UTC service=shell start_time=1205630603 priv-lvl=15 cmd=no shutdown

Sat Mar 15 22:23:06 2008 192.168.1.3 cciesec tty66 192.168.15.99 stop task_id=209 timezo ne=UTC service=shell start_time=1205630608 priv-lvl=0 cmd=exit

Sat Mar 15 22:23:06 2008 192.168.1.3 cciesec tty66 192.168.15.99 stop task_id=204 timezo ne=UTC service=shell start_time=1205630594 disc-cause=1 disc-cause-ext=9 pre-session-time=3 e lapsed_time=14

Your configuration is good. The reason you

are not seeing commands issued by user(s) is

because, I think, there is a bug in the Cisco

ACS. I think there is a patch for this.

Search the forum for my previous and you

will see it.

Real network engineers, in general, hate Cisco ACS or anything running on Microsoft OS platform. The product is not very

reliable. You should look at Cisco Freeware

tacacs on Linux platforms.

CCIE Security

tckoon · ‎03-15-2008

Yes, that is what I mean.

Will the bugs on CCO.

ACS is ACS SE.

Thanks.

cisco24x7 · ‎03-15-2008

Command accounting logs are stroed in tacacs administration logs.

Also there is a known issue on ver 4.1.1 and we need to

apply patch ACS 4.1.1.23.5 to fix the issue.

Patch for appliance is available on

http://www.cisco.com/cgi-bin/tablebuild.pl/acs-soleng-3des

Patch name : ACS SE 4.1.1.23.5 accumulative patch

Patch for acs windows is available on

http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-3des

Patch Name : ACS 4.1.1.23.5 accumulative patch

CCIE Security

tckoon · ‎03-16-2008

Hi,

Thanks for link provided.

Problem resolved.

Not sure why when I login cco, and follow the software download link, I was directed to old url, where no latest ACS SE update software shown. Only the link provided can get the latest update.

Regards

Jagdeep Gambhir · ‎03-16-2008

ACS software's are not listed on CCO. You need to open a TAC to get one.

Regards,

~JG

Wantser1981_2 · ‎04-07-2008

Hi,

I am having this issue also and I have installed the relevent patch. I still do not see the commands entered in the log. Router debugs show that they are sent successfully and wireshark on the server shows that they are recieved. Once the patch is unzipped into the directory and the serivces restarted, is there anything else you need to do?

Thanks

Jagdeep Gambhir · ‎04-08-2008

Make sure you are checking tacacs administrator logs and not tacacs accounting.

Command accounting is logged in tacacs administrator.

Regards,

~JG

Wantser1981_2 · ‎04-08-2008

Thanks JG.

Cant believe I was looking in the wrong place.

However, in my defence this only started working after curing an error on the server nic, found when running wireshark (ethereal)on the server.

Although the switch debug accounting was showing command accounting logs successfully being sent to the server there were none appearing in any log (I did check TACACS+ Administration too).

This was due to the server having "Checksum offload" enabled on the nic. This needs to be disabled for the processing of these command accounting logs other wise they are ignored by the server.

Andy