TACACS Accounting

Answered Question
Jan 15th, 2009
User Badges:

I have implemented a Cisco Secure ACS with TACACS protocol. We have network connectivity issues and whenever that happens TACACS fallsback to local database. Is there any way to enable capturing of the commands executed when ACS go offline.May be when ACS comes back those commands(accounting) can be send to it by the device itself.


My requirement may seem wierd. But I strongly beleive everything is possible with Cisco :)

Correct Answer by jhillend about 8 years 4 months ago

What you are asking for is to have the IOS T+ client cache the commands and then forward them to the ACS once the T+ client can once again communicate with ACS. Yes? Per IOS T+ controls, no, this is not available. The T+ connection will fail and fall back to either another T+ server or stop sending accounting records.


The only solution here is to have two ACS servers online and have the T+ fall back to the secondary ACS in the event of loss of connection to the primary. Then, have both ACSes forward the accounting records to a third server, either ACS or syslog. This assumes, of course, that the T+ client doesn't lose connectivity to both ACSes.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
Richard Burts Thu, 01/15/2009 - 09:09
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Aneesh


It is true that we can do very many things with Cisco. But I am not aware of any way to have accounting records sent to ACS after connectivity is restored for commands issued while there was a loss of connectivity.


HTH


Rick

Correct Answer
jhillend Thu, 01/15/2009 - 11:59
User Badges:
  • Bronze, 100 points or more

What you are asking for is to have the IOS T+ client cache the commands and then forward them to the ACS once the T+ client can once again communicate with ACS. Yes? Per IOS T+ controls, no, this is not available. The T+ connection will fail and fall back to either another T+ server or stop sending accounting records.


The only solution here is to have two ACS servers online and have the T+ fall back to the secondary ACS in the event of loss of connection to the primary. Then, have both ACSes forward the accounting records to a third server, either ACS or syslog. This assumes, of course, that the T+ client doesn't lose connectivity to both ACSes.

aneesh.ts Thu, 01/15/2009 - 17:35
User Badges:

Thanks Rick & Jeff fo your valuable suggestions. I would explore the option of having a secondary ACS server.

cisco24x7 Thu, 01/15/2009 - 19:14
User Badges:
  • Silver, 250 points or more

If AAA accounting is what you're concerned

with, why even bother purchasing a secondary

ACS server? You can use Freeware tacacs+

server running on either Linux or Solaris.

I use it in my enterprise environment and

it is a very stable application.


In the era of IT budget cut, this is a

very attractive solution.


my 2c.

darpotter Tue, 01/20/2009 - 03:41
User Badges:
  • Silver, 250 points or more

Hi Andrea


I would not recommend ODBC logging as execution threads inside ACS become blocked while the data is logged into the remote database.


If your ACS server is under load this can cause incoming requests to be dropped.


Have you considered logging locally (just to CSV) then using a tool such as our csvsync? CSvsync uses nothing but http(s) to collect logs from any number of ACS servers and supports multi-version/platform.


If you need the logs in a database our aaa-reports! enterprise product uses builtin SQL server databases and has web reporting.


http://www.extraxi.com/aaare.htm

Actions

This Discussion