Command accounting with ACS

Unanswered Question
Jul 8th, 2009

HOw can I achive command accounting via acs I have configured devices as below but no luck

aaa accounting exec aaa-list start-stop group bwaaa

aaa accounting commands 1 aaa-list start-stop group bwaaa

aaa accounting commands 15 aaa-list start-stop group bwaaa

aaa accounting system default start-stop group bwaaa

any idea about it

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jagdeep Gambhir Wed, 07/08/2009 - 10:12

Hi,

Command accounting only works with tacacs and not with radius. Make sure bwaaa is set up as tacacs.

These logs are stored in tacacs administration report, so make sure you are checking the correct head.

Still it is not working then check acs code. Incase it is 4.1.1 then you need to apply patch 5 to fix it.

To download patch for appliance,

http://www.cisco.com/cgi-bin/tablebuild.pl/acs-soleng-3des

For windows

http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-3des

Regards,

~JG

Do rate helpful posts

jain.nitin Wed, 07/08/2009 - 10:51

Hi, I am using 4.2 version appliance. I am using tacacs+ u can s below config for your reference

aaa new-model

aaa group server tacacs+ bwaaa

server 10.2.6.1

server 10.2.6.2

ip tacacs source-interface Vlan1111

!

aaa authentication login aaa-list group bwaaa local

aaa authentication enable default group bwaaa enable

aaa authorization exec aaa-list group bwaaa local

aaa accounting exec aaa-list start-stop group bwaaa

aaa accounting commands 1 aaa-list start-stop group bwaaa

aaa accounting commands 15 aaa-list start-stop group bwaaa

aaa accounting system default start-stop group bwaaa

!

aaa session-id common

tacacs-server host 10.2.6.1 timeout 25

tacacs-server host 10.2.6.2 timeout 25

tacacs-server timeout 25

tacacs-server directed-request

tacacs-server key cisco123

Jagdeep Gambhir Wed, 07/08/2009 - 12:06

As stated in other post, try it without any method list and get the debugs

debug aaa accounting

debug tacacs

Did you check tacacs administration logs??

jain.nitin Thu, 07/09/2009 - 11:12

HI It worked when I did not use any method list with the default list it works.. I dont understand why it is not working with my defined list...is there any other procedure to define method list..

Actions

This Discussion