Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
807
Views
0
Helpful
5
Replies

CISCO IOS How do I configure accounting for local logins?

randy.klassen
Level 1
Level 1

‎11-12-2013 07:04 AM - edited ‎03-10-2019 09:05 PM

Hi Guys,

I currently use TACACS+ with ACS to authenticate access to network devices. I also have a local account just in case the ACS servers are unreachable. As it stands now, ACS logs all my TACACS+ sessions. I would like to also log all local logins using the local account.

My probelm is I do not know how to set this up, and also where would i view the logging of these local account logons?

Here is my aaa model

(ignore the dot1x stuff, its for my wired security)

aaa new-model

!

!

aaa authentication login default group tacacs+ enable

aaa authentication dot1x default group radius

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization network default group radius

aaa accounting dot1x default start-stop group radius

aaa accounting exec default start-stop group tacacs+

!

Can anyone help with this?

Thanks,


Randy

Labels:
0 Helpful
5 Replies 5

edwjames
Level 3
Level 3

‎12-07-2013 07:49 PM

Randy,

The AAA accounting feature is only for the T+/Radius servers.

Show logging will show local logins but not much information.

**Share your knowledge. It’s a way to achieve immortality.
--Dalai Lama**

Please Rate if helpful.
Regards
Ed

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed
0 Helpful

randy.klassen
Level 1
Level 1
In response to edwjames

‎12-09-2013 11:27 AM

Thanks Ed,

I guess that answers that. I have one more question.

Is there a way to force logging on via TACACS+ unless the TACACS+ servers are not available, then allow local?

Randy

0 Helpful

edwjames
Level 3
Level 3
In response to randy.klassen

‎12-09-2013 11:31 AM

Randy.

You are already configured for it.

aaa authentication login default group tacacs+ enable

Tacacs+ and then local if T+ is not available.

**Share your knowledge. It’s a way to achieve immortality.
--Dalai Lama**


Please Rate if helpful.
Regards
Ed

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed
0 Helpful

randy.klassen
Level 1
Level 1
In response to edwjames

‎12-09-2013 11:39 AM

Ed,

Thanks again. I thought i was, i just didnt see a command that had the key word "local". But i guess by stating i want T+ to be default, it will try that first, then fail to local?

Thanks again for your help Ed,

Randy

0 Helpful

edwjames
Level 3
Level 3
In response to randy.klassen

‎12-09-2013 12:46 PM

Randy,

You have "enable" so you will fallback to local enable secret.

If you choose "local" you will fallback to local username and password.

Do mark this post as resolved so other can also benefit when you get time.

**Share your knowledge. It’s a way to achieve immortality.
--Dalai Lama**

Please Rate if helpful.
Regards
Ed

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents