07-15-2010 02:07 PM - edited 03-10-2019 05:15 PM
Hi, need to provide a ACS reports that will include all commands entered on firewalls/switches/routers.
Successfully setup acs for these network devices, basic AAA is working, can login failed/passed authentications, different level of authentication was correctly configured, but in reports i can see only commands that have been denied (have tested different user levels). How can i setup AAA to log all commands enterend by eg network device admins?
Solved! Go to Solution.
07-16-2010 11:04 AM
Hi Ganesh, thanks for reply.
Unfortunately i am still unable to see executed commands in tacacs+ accounting report. I have all report fields enabled, configuration is the same as you suggested but still no luck. I setup shell command authorization set and can see if readonly users (which has rights to run only commands in readonly authorization set) trying to execute commands they are not authorize to run but cannot see all commands executed on the switch.
This is really important to have a record who and when initiated what commands on network devices.
07/16/2010,09:18:30,AAAServer,GRoup,SWITCHES,CAT3560-T,UserName,192.168.182.1,start,15,,,,,,2,(Default),,,shell,,,,,,,,,,,,,,UTC,,,,,,,,,,,,,,,,,,,,,,,,No,Login,1,6,192.168.182.20,tty1Any other suggestions?
Hi,
If your ACS version is 4.1 TACACS+ Command Accounting no longer works. No accounting records are visible in the TACACS+ Administration log (bug CSCsg97429).
Click this link if you are using ACS Solution Engine: http://www.cisco.com/pcgi-bin/tablebuild.pl/acs-soleng-3des?psrtdcat20e2 and download:
applAcs_4.1.1.23_ACS-4.1-CSTacacs-CSCsg97429.zip
Hope to Help !!
Ganesh.H
Remember to rate the helpful post
07-16-2010 02:50 AM
Hi, need to provide a ACS reports that will include all commands entered on firewalls/switches/routers.
Successfully setup acs for these network devices, basic AAA is working, can login failed/passed authentications, different level of authentication was correctly configured, but in reports i can see only commands that have been denied (have tested different user levels). How can i setup AAA to log all commands enterend by eg network device admins?
Hi,
In order to get the executed commands in router or switch you need to configure aaa accounting command in router and switch like
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
Then you can see in command logs TACAS adminstration tab in ACS server.
Hope to Help !!
Ganesh.H
Remember to rate the helpful post
07-16-2010 10:31 AM
Hi Ganesh, thanks for reply.
Unfortunately i am still unable to see executed commands in tacacs+ accounting report. I have all report fields enabled, configuration is the same as you suggested but still no luck. I setup shell command authorization set and can see if readonly users (which has rights to run only commands in readonly authorization set) trying to execute commands they are not authorize to run but cannot see all commands executed on the switch.
This is really important to have a record who and when initiated what commands on network devices.
07/16/2010,09:18:30,AAAServer,GRoup,SWITCHES,CAT3560-T,UserName,192.168.182.1,start,15,,,,,,2,(Default),,,shell,,,,,,,,,,,,,,UTC,,,,,,,,,,,,,,,,,,,,,,,,No,Login,1,6,192.168.182.20,tty1
Any other suggestions?
07-16-2010 11:04 AM
Hi Ganesh, thanks for reply.
Unfortunately i am still unable to see executed commands in tacacs+ accounting report. I have all report fields enabled, configuration is the same as you suggested but still no luck. I setup shell command authorization set and can see if readonly users (which has rights to run only commands in readonly authorization set) trying to execute commands they are not authorize to run but cannot see all commands executed on the switch.
This is really important to have a record who and when initiated what commands on network devices.
07/16/2010,09:18:30,AAAServer,GRoup,SWITCHES,CAT3560-T,UserName,192.168.182.1,start,15,,,,,,2,(Default),,,shell,,,,,,,,,,,,,,UTC,,,,,,,,,,,,,,,,,,,,,,,,No,Login,1,6,192.168.182.20,tty1Any other suggestions?
Hi,
If your ACS version is 4.1 TACACS+ Command Accounting no longer works. No accounting records are visible in the TACACS+ Administration log (bug CSCsg97429).
Click this link if you are using ACS Solution Engine: http://www.cisco.com/pcgi-bin/tablebuild.pl/acs-soleng-3des?psrtdcat20e2 and download:
applAcs_4.1.1.23_ACS-4.1-CSTacacs-CSCsg97429.zip
Hope to Help !!
Ganesh.H
Remember to rate the helpful post
07-16-2010 12:28 PM
Thanks Ganesh
I am updating to v4.2 and will check out reports. Will keep this group posted.
07-16-2010 01:29 PM
Works like a charm:
16/07/2010,13:19:41,UserName,Group,hostname NewSwitchName
16/07/2010,13:19:44,UserName,Group,write
thanks for your help.
Regards,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: