AAA Accounting Config Help

Answered Question
Aug 18th, 2009
User Badges:

I have Cisco ACS 3.2 on widnows with cisco devices (IOS 12.3) configured with authentication. I need to enable the accounting. I just need the list of commands (changes) made on the cisco device. What is the correct authentication command? Below is the present config.


aaa group server tacacs+ tacgrp

server X.X.X.X

server Y.Y.Y.Y

!

aaa authentication login default group tacacs+ local

aaa authentication login fallback group tacacs+ enable

aaa session-id common


tacacs-server host X.X.X.X

tacacs-server host Y.Y.Y.Y

tacacs-server directed-request

tacacs-server key 7 XXXXXXXXXXXXXXXXXXX

line con 0

line vty 0 4


Correct Answer by Lucien Avramov about 7 years 9 months ago

There is no accounting for SNMP.

The show snmp command on the router can tell you how many polls where done.


Example of show snmp output:

hassis: SCA043004DW

Contact: smotwani

Location: noida

56224160 SNMP packets input

0 Bad SNMP version errors

38 Unknown community name

0 Illegal operation for community name supplied

0 Encoding errors

268814216 Number of requested variables

112 Number of altered variables

35437579 Get-request PDUs

20781918 Get-next PDUs

24 Set-request PDUs

0 Input queue packet drops (Maximum queue size 1000)

56224122 SNMP packets output

0 Too big errors (Maximum packet size 1500)

15 No such name errors

0 Bad values errors

0 General errors

56219928 Response PDUs

0 Trap PDUs



Also you can set an access-list permitting any for snmp and log the access-list that will have a counter that increments.


There is no such thing as looking in the ACS logs to know how many times snmp was accessed and by which ip address for the simple reason that authorization does not apply to snmp.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Jatin Katyal Wed, 08/19/2009 - 04:43
User Badges:
  • Cisco Employee,

!--- Following commands are for accounting the user's activity,

!--- when user is logged into the device.


aaa accounting exec default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+


Hope this helps.

JK


avilt Wed, 08/19/2009 - 18:30
User Badges:

Thank You, It works fine.

Is there any way to get log entries for SNMP access thru ACS?

Correct Answer
Lucien Avramov Wed, 08/19/2009 - 18:42
User Badges:
  • Red, 2250 points or more

There is no accounting for SNMP.

The show snmp command on the router can tell you how many polls where done.


Example of show snmp output:

hassis: SCA043004DW

Contact: smotwani

Location: noida

56224160 SNMP packets input

0 Bad SNMP version errors

38 Unknown community name

0 Illegal operation for community name supplied

0 Encoding errors

268814216 Number of requested variables

112 Number of altered variables

35437579 Get-request PDUs

20781918 Get-next PDUs

24 Set-request PDUs

0 Input queue packet drops (Maximum queue size 1000)

56224122 SNMP packets output

0 Too big errors (Maximum packet size 1500)

15 No such name errors

0 Bad values errors

0 General errors

56219928 Response PDUs

0 Trap PDUs



Also you can set an access-list permitting any for snmp and log the access-list that will have a counter that increments.


There is no such thing as looking in the ACS logs to know how many times snmp was accessed and by which ip address for the simple reason that authorization does not apply to snmp.



Actions

This Discussion