Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

AAA Accounting Config Help

I have Cisco ACS 3.2 on widnows with cisco devices (IOS 12.3) configured with authentication. I need to enable the accounting. I just need the list of commands (changes) made on the cisco device. What is the correct authentication command? Below is the present config.

aaa group server tacacs+ tacgrp

server X.X.X.X

server Y.Y.Y.Y

!

aaa authentication login default group tacacs+ local

aaa authentication login fallback group tacacs+ enable

aaa session-id common

tacacs-server host X.X.X.X

tacacs-server host Y.Y.Y.Y

tacacs-server directed-request

tacacs-server key 7 XXXXXXXXXXXXXXXXXXX

line con 0

line vty 0 4

1 ACCEPTED SOLUTION

Accepted Solutions

Re: AAA Accounting Config Help

There is no accounting for SNMP.

The show snmp command on the router can tell you how many polls where done.

Example of show snmp output:

hassis: SCA043004DW

Contact: smotwani

Location: noida

56224160 SNMP packets input

0 Bad SNMP version errors

38 Unknown community name

0 Illegal operation for community name supplied

0 Encoding errors

268814216 Number of requested variables

112 Number of altered variables

35437579 Get-request PDUs

20781918 Get-next PDUs

24 Set-request PDUs

0 Input queue packet drops (Maximum queue size 1000)

56224122 SNMP packets output

0 Too big errors (Maximum packet size 1500)

15 No such name errors

0 Bad values errors

0 General errors

56219928 Response PDUs

0 Trap PDUs

Also you can set an access-list permitting any for snmp and log the access-list that will have a counter that increments.

There is no such thing as looking in the ACS logs to know how many times snmp was accessed and by which ip address for the simple reason that authorization does not apply to snmp.

3 REPLIES
Cisco Employee

Re: AAA Accounting Config Help

!--- Following commands are for accounting the user's activity,

!--- when user is logged into the device.

aaa accounting exec default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

Hope this helps.

JK

~BR Jatin Katyal **Do rate helpful posts**
New Member

Re: AAA Accounting Config Help

Thank You, It works fine.

Is there any way to get log entries for SNMP access thru ACS?

Re: AAA Accounting Config Help

There is no accounting for SNMP.

The show snmp command on the router can tell you how many polls where done.

Example of show snmp output:

hassis: SCA043004DW

Contact: smotwani

Location: noida

56224160 SNMP packets input

0 Bad SNMP version errors

38 Unknown community name

0 Illegal operation for community name supplied

0 Encoding errors

268814216 Number of requested variables

112 Number of altered variables

35437579 Get-request PDUs

20781918 Get-next PDUs

24 Set-request PDUs

0 Input queue packet drops (Maximum queue size 1000)

56224122 SNMP packets output

0 Too big errors (Maximum packet size 1500)

15 No such name errors

0 Bad values errors

0 General errors

56219928 Response PDUs

0 Trap PDUs

Also you can set an access-list permitting any for snmp and log the access-list that will have a counter that increments.

There is no such thing as looking in the ACS logs to know how many times snmp was accessed and by which ip address for the simple reason that authorization does not apply to snmp.

280
Views
5
Helpful
3
Replies