Sending AAA accouting log records to multiple AAA servers

Unanswered Question
Jan 12th, 2009
User Badges:
  • Silver, 250 points or more

IOS version c3640-a3jk9s-mz.123-18.bin


aaa group server tacacs+ cciesec

server 192.168.3.10

!

aaa group server tacacs+ ccievoice

server 192.168.3.11



aaa authentication login VTY group cciesec local

aaa accounting exec cciesec start-stop broadcast group cciesec group ccievoice

aaa accounting commands 0 cciesec start-stop broadcast group cciesec group ccievoice

aaa accounting commands 1 cciesec start-stop broadcast group cciesec group ccievoice

aaa accounting commands 15 cciesec start-stop broadcast group cciesec group ccievoice


tacacs-server host 192.168.3.10 key 123456

tacacs-server host 192.168.3.11 key 123456



C3640#sh tacacs


Tacacs+ Server : 192.168.3.10/49

Socket opens: 8

Socket closes: 8

Socket aborts: 0

Socket errors: 0

Socket Timeouts: 0

Failed Connect Attempts: 0

Total Packets Sent: 21

Total Packets Recv: 21



Tacacs+ Server : 192.168.3.11/49

Socket opens: 0

Socket closes: 0

Socket aborts: 0

Socket errors: 0

Socket Timeouts: 0

Failed Connect Attempts: 0

Total Packets Sent: 0

Total Packets Recv: 0


C3640#


As you can see, I can receive AAA accounting logs on server 192.168.3.10 but I am not getting logs on 192.168.3.11. I can confirm this with

tcpdump on host 192.168.3.11 and that I am not seeing any sent AAA to host 192.168.3.11.


Anyone know why?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Mon, 01/12/2009 - 11:14
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

David


I have not tested this and do not have authoritative knowledge of it. But usually when you configure multiple parameters in a method list they are used as backups for each other. So the second group would typically be used only if attempts to use the first group failed. The behavior that you describe is consistent with this, so I assume that this may be the explanation.


HTH


Rick

cisco24x7 Mon, 01/12/2009 - 11:41
User Badges:
  • Silver, 250 points or more

http://www.cisco.com/en/US/docs/ios/12_1t/12_1t1/feature/guide/dt_aaaba.html


It stated the following:


"Before the introduction of the AAA Broadcast Accounting feature, Cisco IOS AAA could send accounting information to only one server at a time. This feature allows accounting information to be sent to one or more AAA servers at the same time. Service providers are thus able to simultaneously send accounting information to their own private AAA servers and to the AAA servers of their end customers. This feature also provides redundant billing information for voice applications."



Richard Burts Mon, 01/12/2009 - 12:15
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

David


This appears to be an interesting feature and one I was not familiar with.


If you change the order of groups in the accounting command and put ccievoice before cciesec do the accounting records start going to the .11 server?


HTH


Rick

Actions

This Discussion