01-15-2009 08:47 AM - edited 03-10-2019 04:17 PM
I have implemented a Cisco Secure ACS with TACACS protocol. We have network connectivity issues and whenever that happens TACACS fallsback to local database. Is there any way to enable capturing of the commands executed when ACS go offline.May be when ACS comes back those commands(accounting) can be send to it by the device itself.
My requirement may seem wierd. But I strongly beleive everything is possible with Cisco :)
Solved! Go to Solution.
01-15-2009 11:59 AM
What you are asking for is to have the IOS T+ client cache the commands and then forward them to the ACS once the T+ client can once again communicate with ACS. Yes? Per IOS T+ controls, no, this is not available. The T+ connection will fail and fall back to either another T+ server or stop sending accounting records.
The only solution here is to have two ACS servers online and have the T+ fall back to the secondary ACS in the event of loss of connection to the primary. Then, have both ACSes forward the accounting records to a third server, either ACS or syslog. This assumes, of course, that the T+ client doesn't lose connectivity to both ACSes.
01-15-2009 09:09 AM
Aneesh
It is true that we can do very many things with Cisco. But I am not aware of any way to have accounting records sent to ACS after connectivity is restored for commands issued while there was a loss of connectivity.
HTH
Rick
01-15-2009 11:59 AM
What you are asking for is to have the IOS T+ client cache the commands and then forward them to the ACS once the T+ client can once again communicate with ACS. Yes? Per IOS T+ controls, no, this is not available. The T+ connection will fail and fall back to either another T+ server or stop sending accounting records.
The only solution here is to have two ACS servers online and have the T+ fall back to the secondary ACS in the event of loss of connection to the primary. Then, have both ACSes forward the accounting records to a third server, either ACS or syslog. This assumes, of course, that the T+ client doesn't lose connectivity to both ACSes.
01-15-2009 05:35 PM
Thanks Rick & Jeff fo your valuable suggestions. I would explore the option of having a secondary ACS server.
01-15-2009 07:14 PM
If AAA accounting is what you're concerned
with, why even bother purchasing a secondary
ACS server? You can use Freeware tacacs+
server running on either Linux or Solaris.
I use it in my enterprise environment and
it is a very stable application.
In the era of IT budget cut, this is a
very attractive solution.
my 2c.
01-20-2009 03:13 AM
Can I use ODBC logging from primary and secondary ACS to unique remote database.
Now I'm using a local database on primary server only, so when it fails I not able to log any entry.
Thanks.
Regards.
Andrea.
01-20-2009 03:41 AM
Hi Andrea
I would not recommend ODBC logging as execution threads inside ACS become blocked while the data is logged into the remote database.
If your ACS server is under load this can cause incoming requests to be dropped.
Have you considered logging locally (just to CSV) then using a tool such as our csvsync? CSvsync uses nothing but http(s) to collect logs from any number of ACS servers and supports multi-version/platform.
If you need the logs in a database our aaa-reports! enterprise product uses builtin SQL server databases and has web reporting.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: