Hi,

We have the exact same problem as the user above (laurabriscoe).

Telnet and SSH is working great and is logging to the ACS in both accounting and administration.

But now we have started to let some of our local offices use CNA to manage the switches themself, but nothing is logged.

The command "Ip http accounting commands level ..." seems to be the way to go. But I can't find it in any of our switches. I have checked in different IOS versions and models (2960 and 3750) but it is not there.

So if you or someone have any other ideas of command related to get the logging for HTTP/HTTPS to work with Cisco ACS, that would have been much appriciated.

Best regards

//Robert

You might need to upgrade in order to have the command available in those Switches:

The "ip http accounting commands" command specifies a particular command accounting method for HTTP server users.

This command was introduced. 12.4(15)T.

This command was integrated into Cisco IOS Release 12.2(33)SRC.

This command was integrated into Cisco IOS Release 12.2(33)SB.

http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_08.html#wp1020189

This is how it worked from me

1. I have configured a user on the ACS server

2. I have configured the following for accounting

aaa new-model

aaa authentication login default group tacacs local

aaa authorization exec default group tacacs local

aaa accounting commands 1 default stop-only group tacacs+

aaa accounting commands 15 default stop-only group tacacs+

tacacs-server host $ACS_Server key cisco

ip http authentication aaa

3. Enabled Debugs with:

debug tacacs accounting

4. I login to the http session with the username and password configured

in step-1 and execute commands using the webexec. The commands are being

logged on the tacacs+ server. (Cisco Secure ACS).

5. I also tried the following

aaa accounting commands 15 default start-stop group tacacs+

This also works fine.

Regards,

~JG

Do rate helpful posts