×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

CISCO IOS How do I configure accounting for local logins?

Unanswered Question
Nov 12th, 2013
User Badges:

Hi Guys,


I currently use TACACS+ with ACS to authenticate access to network devices. I also have a local account just in case the ACS servers are unreachable. As it stands now, ACS logs all my TACACS+ sessions. I would like to also log all local logins using the local account.


My probelm is I do not know how to set this up, and also where would i view the logging of these local account logons?


Here is my aaa model

(ignore the dot1x stuff, its for my wired security)



aaa new-model

!

!

aaa authentication login default group tacacs+ enable

aaa authentication dot1x default group radius

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization network default group radius

aaa accounting dot1x default start-stop group radius

aaa accounting exec default start-stop group tacacs+

!


Can anyone help with this?


Thanks,


Randy

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
edwjames Sat, 12/07/2013 - 19:49
User Badges:
  • Silver, 250 points or more

Randy,


The AAA accounting feature is only for the T+/Radius servers.


Show logging will show local logins but not much information.


**Share your knowledge. It’s a way to achieve immortality.
--Dalai Lama**

Please Rate if helpful.
Regards
Ed

randy.klassen Mon, 12/09/2013 - 11:27
User Badges:

Thanks Ed,


I guess that answers that. I have one more question.


Is there a way to force logging on via TACACS+ unless the TACACS+ servers are not available, then allow local?


Randy

edwjames Mon, 12/09/2013 - 11:31
User Badges:
  • Silver, 250 points or more

Randy.


You are already configured for it.


aaa authentication login default group tacacs+ enable


Tacacs+ and then local if T+ is not available.


**Share your knowledge. It’s a way to achieve immortality.
--Dalai Lama**


Please Rate if helpful.
Regards
Ed

randy.klassen Mon, 12/09/2013 - 11:39
User Badges:

Ed,


Thanks again. I thought i was, i just didnt see a command that had the key word "local". But i guess by stating i want T+ to be default, it will try that first, then fail to local?


Thanks again for your help Ed,


Randy

edwjames Mon, 12/09/2013 - 12:46
User Badges:
  • Silver, 250 points or more

Randy,


You have "enable" so you will fallback to local enable secret.

If you choose "local" you will fallback to local username and password.


Do mark this post as resolved so other can also benefit when you get time.


**Share your knowledge. It’s a way to achieve immortality.
--Dalai Lama**

Please Rate if helpful.
Regards
Ed

Actions

This Discussion