cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
751
Views
5
Helpful
6
Replies

TACACS Accounting

aneesh.ts
Level 1
Level 1

I have implemented a Cisco Secure ACS with TACACS protocol. We have network connectivity issues and whenever that happens TACACS fallsback to local database. Is there any way to enable capturing of the commands executed when ACS go offline.May be when ACS comes back those commands(accounting) can be send to it by the device itself.

My requirement may seem wierd. But I strongly beleive everything is possible with Cisco :)

1 Accepted Solution

Accepted Solutions

jhillend
Level 1
Level 1

What you are asking for is to have the IOS T+ client cache the commands and then forward them to the ACS once the T+ client can once again communicate with ACS. Yes? Per IOS T+ controls, no, this is not available. The T+ connection will fail and fall back to either another T+ server or stop sending accounting records.

The only solution here is to have two ACS servers online and have the T+ fall back to the secondary ACS in the event of loss of connection to the primary. Then, have both ACSes forward the accounting records to a third server, either ACS or syslog. This assumes, of course, that the T+ client doesn't lose connectivity to both ACSes.

View solution in original post

6 Replies 6

Richard Burts
Hall of Fame
Hall of Fame

Aneesh

It is true that we can do very many things with Cisco. But I am not aware of any way to have accounting records sent to ACS after connectivity is restored for commands issued while there was a loss of connectivity.

HTH

Rick

HTH

Rick

jhillend
Level 1
Level 1

What you are asking for is to have the IOS T+ client cache the commands and then forward them to the ACS once the T+ client can once again communicate with ACS. Yes? Per IOS T+ controls, no, this is not available. The T+ connection will fail and fall back to either another T+ server or stop sending accounting records.

The only solution here is to have two ACS servers online and have the T+ fall back to the secondary ACS in the event of loss of connection to the primary. Then, have both ACSes forward the accounting records to a third server, either ACS or syslog. This assumes, of course, that the T+ client doesn't lose connectivity to both ACSes.

Thanks Rick & Jeff fo your valuable suggestions. I would explore the option of having a secondary ACS server.

If AAA accounting is what you're concerned

with, why even bother purchasing a secondary

ACS server? You can use Freeware tacacs+

server running on either Linux or Solaris.

I use it in my enterprise environment and

it is a very stable application.

In the era of IT budget cut, this is a

very attractive solution.

my 2c.

Can I use ODBC logging from primary and secondary ACS to unique remote database.

Now I'm using a local database on primary server only, so when it fails I not able to log any entry.

Thanks.

Regards.

Andrea.

Hi Andrea

I would not recommend ODBC logging as execution threads inside ACS become blocked while the data is logged into the remote database.

If your ACS server is under load this can cause incoming requests to be dropped.

Have you considered logging locally (just to CSV) then using a tool such as our csvsync? CSvsync uses nothing but http(s) to collect logs from any number of ACS servers and supports multi-version/platform.

If you need the logs in a database our aaa-reports! enterprise product uses builtin SQL server databases and has web reporting.

http://www.extraxi.com/aaare.htm

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: