cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
724
Views
0
Helpful
3
Replies

Problem for see accounting in ACS 4.1

Hello,

I have ACS 4.1 and i've configured aaa in a Router, my problem is that I can't see the accounting in ACS for example i want to know that has done the users for example if an user type show runn, conf ter, shutdown in the interface. actually my aaa configuration is:

How i can see the accounting?? in the acs?? in acs 3.3.3 I can see the accounting, but in this version nothing.

version 12.4

hostname Router_Lab

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$051s$Few6cFXNT6T0TdAZqHkNu.

!

aaa new-model

!

aaa authentication login default group tacacs+ local

aaa authentication enable default enable

aaa authorization config-commands

aaa authorization exec default group tacacs+ local

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

!

aaa session-id common

!

resource policy

!

ip subnet-zero

ip cef

!

username admin password 0 cisco123

!

interface FastEthernet0/0

ip address 172.20.0.1 255.255.255.0

duplex full

speed 100

!

snmp-server community adexus123 RW

snmp-server host 172.20.0.100 adexus123

!

tacacs-server host 172.20.0.11 key cisco123

tacacs-server timeout 3

tacacs-server directed-request

my logs when I put show running-config

Router_Lab#

*Mar 19 18:42:59.599: AAA: parse name=tty2 idb type=-1 tty=-1

*Mar 19 18:42:59.599: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0

*Mar 19 18:42:59.603: AAA/MEMORY: create_user (0x654D1F28) user='adexus' ruser='Router_Lab' ds0=0 port='tty2' rem_addr='172.20.0.100' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)

*Mar 19 18:42:59.607: tty2 AAA/AUTHOR/CMD(3705108292): Port='tty2' list='' service=CMD

*Mar 19 18:42:59.611: AAA/AUTHOR/CMD: tty2(3705108292) user='adexus'

*Mar 19 18:42:59.611: tty2 AAA/AUTHOR/CMD(3705108292): send AV service=shell

*Mar 19 18:42:59.615: tty2 AAA/AUTHOR/CMD(3705108292): send AV cmd=show

*Mar 19 18:42:59.615: tty2 AAA/AUTHOR/CMD(3705108292): send AV cmd-arg=running-config

*Mar 19 18:42:59.619: tty2 AAA/AUTHOR/CMD(3705108292): send AV cmd-arg=<cr>

*Mar 19 18:42:59.619: tty2 AAA/AUTHOR/CMD(3705108292): found list "default"

*Mar 19 18:42:59.623: tty2 AAA/AUTHOR/CMD(3705108292): Method=tacacs+ (tacacs+)

*Mar 19 18:42:59.627: AAA/AUTHOR/TAC+: (3705108292): user=adexus

*Mar 19 18:42:59.627: AAA/AUTHOR/TAC+: (3705108292): send AV service=shell

*Mar 19 18:42:59.627: AAA/AUTHOR/TAC+: (3705108292): send AV cmd=show

*Mar 19 18:42:59.631: AAA/AUTHOR/TAC+: (3705108292): send AV cmd-arg=running-config

*Mar 19 18:42:59.631: AAA/AUTHOR/TAC+: (3705108292): send AV cmd-arg=<cr>

*Mar 19 18:42:59.875: AAA/AUTHOR (3705108292): Post authorization status = PASS_ADD

*Mar 19 18:42:59.875: AAA/MEMORY: free_user (0x654D1F28) user='adexus' ruser='Router_Lab' port='tty2' rem_addr='172.20.0.100' authen_type=ASCII service=NONE priv=15 vrf= (id=0)

3 Replies 3

Check this link, there is a bug in 4.1

http://supportwiki.cisco.com/ViewWiki/index.php/Cisco_Secure_ACS_server_is_unable_to_register_TACACS%2B_admin_logs

but you should atleast see the accounting records being sent on the router, I wonder why you don't see those in your debugs.

Vinay Sharma
Level 7
Level 7

Hi,

Thanks for the info. Their is a know bug for command accounting in ACS v4.1 and it is fixed in cumulative patch 5. The patch is available at cisco.com. make sure you take the backup before applying the patch. CSCsg97429 TACACS+ Command Accounting does not work in ACS 4.1(1) Build 23.

Thanks & Regards

Hi Vinashar,

This issue occurs due to the presence of Cisco bug ID CSCsg97429.

No accounting records appear in the Terminal Access Controller Access Control System (TACACS+) Administration log file.

The problem starts when command Accounting is configured on the Network Attached Storage (NAS). After commands are entered on the NAS, no records appear in the TACACS+ Administration log file.

Debugs on the NAS show the records are sent, and they do arrive at the ACS, but the appropriate log file fails to update.

With ACS logging set to Full in System Configuration > Service Control, the log file of the CSLog service shows these entries each time a command is entered on the NAS:

12/06/2006 14:22:52 U 5111 2608 Handling message at 0x010A7FF8 (339 bytes)

12/06/2006 14:22:52 A 0000 0960 Logger CSV TACACS+ Accounting: filter denies logging

Resolution For a workaround:

Download and install these patches from Cisco Downloads:

CiscoSecure ACS for Microsoft Windows

Acs_4.1.1.23.5-SW.zip?ACS 4.1.1.23.1 accumulative patch

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: