Solved: AAA Reports

endpoint · ‎07-15-2010

Hi, need to provide a ACS reports that will include all commands entered on firewalls/switches/routers.

Successfully setup acs for these network devices, basic AAA is working, can login failed/passed authentications, different level of authentication was correctly configured, but in reports i can see only commands that have been denied (have tested different user levels). How can i setup AAA to log all commands enterend by eg network device admins?

Ganesh Hariharan · ‎07-16-2010

Hi Ganesh, thanks for reply.

Unfortunately i am still unable to see executed commands in tacacs+ accounting report. I have all report fields enabled, configuration is the same as you suggested but still no luck. I setup shell command authorization set and can see if readonly users (which has rights to run only commands in readonly authorization set) trying to execute commands they are not authorize to run but cannot see all commands executed on the switch.

This is really important to have a record who and when initiated what commands on network devices.

07/16/2010,09:18:30,AAAServer,GRoup,SWITCHES,CAT3560-T,UserName,192.168.182.1,start,15,,,,,,2,(Default),,,shell,,,,,,,,,,,,,,UTC,,,,,,,,,,,,,,,,,,,,,,,,No,Login,1,6,192.168.182.20,tty1

Any other suggestions?

Hi,

If your ACS version is 4.1 TACACS+ Command Accounting no longer works. No accounting records are visible in the TACACS+ Administration log (bug CSCsg97429).

Click this link if you are using ACS Solution Engine: http://www.cisco.com/pcgi-bin/tablebuild.pl/acs-soleng-3des?psrtdcat20e2 and download:

applAcs_4.1.1.23_ACS-4.1-CSTacacs-CSCsg97429.zip

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

View solution in original post

Ganesh Hariharan · ‎07-16-2010

Hi, need to provide a ACS reports that will include all commands entered on firewalls/switches/routers.

Successfully setup acs for these network devices, basic AAA is working, can login failed/passed authentications, different level of authentication was correctly configured, but in reports i can see only commands that have been denied (have tested different user levels). How can i setup AAA to log all commands enterend by eg network device admins?

Hi,

In order to get the executed commands in router or switch you need to configure aaa accounting command in router and switch like

aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+

Then you can see in command logs TACAS adminstration tab in ACS server.

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

endpoint · ‎07-16-2010

Hi Ganesh, thanks for reply.

Unfortunately i am still unable to see executed commands in tacacs+ accounting report. I have all report fields enabled, configuration is the same as you suggested but still no luck. I setup shell command authorization set and can see if readonly users (which has rights to run only commands in readonly authorization set) trying to execute commands they are not authorize to run but cannot see all commands executed on the switch.

This is really important to have a record who and when initiated what commands on network devices.

07/16/2010,09:18:30,AAAServer,GRoup,SWITCHES,CAT3560-T,UserName,192.168.182.1,start,15,,,,,,2,(Default),,,shell,,,,,,,,,,,,,,UTC,,,,,,,,,,,,,,,,,,,,,,,,No,Login,1,6,192.168.182.20,tty1

Any other suggestions?

Ganesh Hariharan · ‎07-16-2010

Hi Ganesh, thanks for reply.

Unfortunately i am still unable to see executed commands in tacacs+ accounting report. I have all report fields enabled, configuration is the same as you suggested but still no luck. I setup shell command authorization set and can see if readonly users (which has rights to run only commands in readonly authorization set) trying to execute commands they are not authorize to run but cannot see all commands executed on the switch.

This is really important to have a record who and when initiated what commands on network devices.

07/16/2010,09:18:30,AAAServer,GRoup,SWITCHES,CAT3560-T,UserName,192.168.182.1,start,15,,,,,,2,(Default),,,shell,,,,,,,,,,,,,,UTC,,,,,,,,,,,,,,,,,,,,,,,,No,Login,1,6,192.168.182.20,tty1

Any other suggestions?

Hi,

If your ACS version is 4.1 TACACS+ Command Accounting no longer works. No accounting records are visible in the TACACS+ Administration log (bug CSCsg97429).

Click this link if you are using ACS Solution Engine: http://www.cisco.com/pcgi-bin/tablebuild.pl/acs-soleng-3des?psrtdcat20e2 and download:

applAcs_4.1.1.23_ACS-4.1-CSTacacs-CSCsg97429.zip

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

endpoint · ‎07-16-2010

Thanks Ganesh

I am updating to v4.2 and will check out reports. Will keep this group posted.

endpoint · ‎07-16-2010

Works like a charm:

16/07/2010,13:19:41,UserName,Group,hostname NewSwitchName ,15,shell,tty1,258,192.168.182.1,
16/07/2010,13:19:44,UserName,Group,write ,15,shell,tty1,259,192.168.182.1,'

thanks for your help.

Regards,