03-14-2008 08:54 PM - edited 03-10-2019 03:43 PM
May I know why the CLI coommand use by user is not show on the ACS TACACS Accounting report. The duration of time is shown, but I wanted also to log what commands is issued by user.
Wha is missing here ?
aaa authentication login VTY group P1_ACS local enable
aaa authorization exec default group P1_ACS local if-authenticated
aaa authorization exec CONSOLE none
aaa accounting exec default start-stop group P1_ACS
aaa accounting commands 5 default start-stop group P1_ACS
aaa accounting commands 15 default start-stop group P1_ACS
Solved! Go to Solution.
03-15-2008 07:46 PM
Command accounting logs are stroed in tacacs administration logs.
Also there is a known issue on ver 4.1.1 and we need to
apply patch ACS 4.1.1.23.5 to fix the issue.
Patch for appliance is available on
http://www.cisco.com/cgi-bin/tablebuild.pl/acs-soleng-3des
Patch name : ACS SE 4.1.1.23.5 accumulative patch
Patch for acs windows is available on
http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-3des
Patch Name : ACS 4.1.1.23.5 accumulative patch
CCIE Security
03-15-2008 07:20 AM
Choh
I believe that you are seeing the duration of time based on this line of the configuration:
aaa accounting exec default start-stop group P1_ACS
Based on this line of the config I would expect that you would see the privilege level commands that someone issued:
aaa accounting commands 15 default start-stop group P1_ACS
If you want to see user level commands then I suggest that you add this to the configuration:
aaa accounting commands 1 default start-stop group P1_ACS
HTH
Rick
03-15-2008 05:46 PM
Hi Rick,
The problem I have here is I login as privilege 15 user, then perform some tasks on router. But when I logout, the ACS TACACS account only showing the duration, the cmd that issued by user is not shown under the "cmd" column.
Thanks
03-15-2008 06:29 PM
You mean like this:
[root@LinuxES root]# tail -f /var/log/tac_plus.log
Sat Mar 15 22:22:52 2008 192.168.1.3 cciesec tty66 192.168.15.99 start task_id=204 timezo ne=UTC service=shell start_time=1205630594
Sat Mar 15 22:22:53 2008 192.168.1.3 cciesec tty66 192.168.15.99 stop task_id=204 timezo ne=UTC service=shell start_time=1205630594 priv-lvl=0 cmd=enable
Sat Mar 15 22:22:56 2008 192.168.1.3 cciesec tty66 192.168.15.99 stop task_id=205 timezo ne=UTC service=shell start_time=1205630598 priv-lvl=15 cmd=configure terminal
Sat Mar 15 22:22:59 2008 192.168.1.3 cciesec tty66 192.168.15.99 stop task_id=206 timezo ne=UTC service=shell start_time=1205630601 priv-lvl=15 cmd=interface Loopback 0
Sat Mar 15 22:23:00 2008 192.168.1.3 cciesec tty66 192.168.15.99 stop task_id=207 timezo ne=UTC service=shell start_time=1205630602 priv-lvl=15 cmd=shutdown
Sat Mar 15 22:23:02 2008 192.168.1.3 cciesec tty66 192.168.15.99 stop task_id=208 timezo ne=UTC service=shell start_time=1205630603 priv-lvl=15 cmd=no shutdown
Sat Mar 15 22:23:06 2008 192.168.1.3 cciesec tty66 192.168.15.99 stop task_id=209 timezo ne=UTC service=shell start_time=1205630608 priv-lvl=0 cmd=exit
Sat Mar 15 22:23:06 2008 192.168.1.3 cciesec tty66 192.168.15.99 stop task_id=204 timezo ne=UTC service=shell start_time=1205630594 disc-cause=1 disc-cause-ext=9 pre-session-time=3 e lapsed_time=14
Your configuration is good. The reason you
are not seeing commands issued by user(s) is
because, I think, there is a bug in the Cisco
ACS. I think there is a patch for this.
Search the forum for my previous and you
will see it.
Real network engineers, in general, hate Cisco ACS or anything running on Microsoft OS platform. The product is not very
reliable. You should look at Cisco Freeware
tacacs on Linux platforms.
CCIE Security
03-15-2008 07:28 PM
Yes, that is what I mean.
Will the bugs on CCO.
ACS is ACS SE.
Thanks.
03-15-2008 07:46 PM
Command accounting logs are stroed in tacacs administration logs.
Also there is a known issue on ver 4.1.1 and we need to
apply patch ACS 4.1.1.23.5 to fix the issue.
Patch for appliance is available on
http://www.cisco.com/cgi-bin/tablebuild.pl/acs-soleng-3des
Patch name : ACS SE 4.1.1.23.5 accumulative patch
Patch for acs windows is available on
http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-3des
Patch Name : ACS 4.1.1.23.5 accumulative patch
CCIE Security
03-16-2008 08:08 AM
Hi,
Thanks for link provided.
Problem resolved.
Not sure why when I login cco, and follow the software download link, I was directed to old url, where no latest ACS SE update software shown. Only the link provided can get the latest update.
Regards
03-16-2008 06:45 PM
ACS software's are not listed on CCO. You need to open a TAC to get one.
Regards,
~JG
04-07-2008 06:14 AM
Hi,
I am having this issue also and I have installed the relevent patch. I still do not see the commands entered in the log. Router debugs show that they are sent successfully and wireshark on the server shows that they are recieved. Once the patch is unzipped into the directory and the serivces restarted, is there anything else you need to do?
Thanks
04-08-2008 05:35 AM
Make sure you are checking tacacs administrator logs and not tacacs accounting.
Command accounting is logged in tacacs administrator.
Regards,
~JG
04-08-2008 06:31 AM
Thanks JG.
Cant believe I was looking in the wrong place.
However, in my defence this only started working after curing an error on the server nic, found when running wireshark (ethereal)on the server.
Although the switch debug accounting was showing command accounting logs successfully being sent to the server there were none appearing in any log (I did check TACACS+ Administration too).
This was due to the server having "Checksum offload" enabled on the nic. This needs to be disabled for the processing of these command accounting logs other wise they are ignored by the server.
Andy
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: