Sending AAA accouting log records to multiple AAA servers

Unanswered Question
Jan 12th, 2009

IOS version c3640-a3jk9s-mz.123-18.bin

aaa group server tacacs+ cciesec

server 192.168.3.10

!

aaa group server tacacs+ ccievoice

server 192.168.3.11

aaa authentication login VTY group cciesec local

aaa accounting exec cciesec start-stop broadcast group cciesec group ccievoice

aaa accounting commands 0 cciesec start-stop broadcast group cciesec group ccievoice

aaa accounting commands 1 cciesec start-stop broadcast group cciesec group ccievoice

aaa accounting commands 15 cciesec start-stop broadcast group cciesec group ccievoice

tacacs-server host 192.168.3.10 key 123456

tacacs-server host 192.168.3.11 key 123456

C3640#sh tacacs

Tacacs+ Server : 192.168.3.10/49

Socket opens: 8

Socket closes: 8

Socket aborts: 0

Socket errors: 0

Socket Timeouts: 0

Failed Connect Attempts: 0

Total Packets Sent: 21

Total Packets Recv: 21

Tacacs+ Server : 192.168.3.11/49

Socket opens: 0

Socket closes: 0

Socket aborts: 0

Socket errors: 0

Socket Timeouts: 0

Failed Connect Attempts: 0

Total Packets Sent: 0

Total Packets Recv: 0

C3640#

As you can see, I can receive AAA accounting logs on server 192.168.3.10 but I am not getting logs on 192.168.3.11. I can confirm this with

tcpdump on host 192.168.3.11 and that I am not seeing any sent AAA to host 192.168.3.11.

Anyone know why?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Mon, 01/12/2009 - 11:14

David

I have not tested this and do not have authoritative knowledge of it. But usually when you configure multiple parameters in a method list they are used as backups for each other. So the second group would typically be used only if attempts to use the first group failed. The behavior that you describe is consistent with this, so I assume that this may be the explanation.

HTH

Rick

cisco24x7 Mon, 01/12/2009 - 11:41

http://www.cisco.com/en/US/docs/ios/12_1t/12_1t1/feature/guide/dt_aaaba.html

It stated the following:

"Before the introduction of the AAA Broadcast Accounting feature, Cisco IOS AAA could send accounting information to only one server at a time. This feature allows accounting information to be sent to one or more AAA servers at the same time. Service providers are thus able to simultaneously send accounting information to their own private AAA servers and to the AAA servers of their end customers. This feature also provides redundant billing information for voice applications."

Richard Burts Mon, 01/12/2009 - 12:15

David

This appears to be an interesting feature and one I was not familiar with.

If you change the order of groups in the accounting command and put ccievoice before cciesec do the accounting records start going to the .11 server?

HTH

Rick

Actions

This Discussion