Using ACS and tacacs+ can I record the keystrokes users type when they enter commands on a device such as a router or switch?
Yes , you can record whatever commands a user has run on the Cisco IOS box . For this you need to firstly configure command authorization on the IOS device along with the accounting. Below are the commands that you need.
aaa authentication login default group tacacs local
aaa authorization exec default group tacacs if-autheticated
aaa authorization commands 0 default group tacacs if-authenticated
aaa authorization commands 1 default group tacacs if-authenticated
aaa authorization commands 15 default group tacacs if-authenticated
aaa accounting commands 0 default group tacacs
aaa accounting commands 1 default group tacacs
aaa accounting commands 15 default group tacacs
tacacs-server host x.x.x.x ket
We also need to configure command authorization in ACS server using the below link ( Note : this link show the sample configuration of ACS using PIX but you can configure the IOS devices similarly)
Once we have configured the ACS and the IOS devices you can check the commands run by users in ACS by going to Reports & Activities > Tacacs admin logs .