Solved: On the IOS configuration

rizwanr74 · ‎07-17-2014

Hi Guys,

I have following 6 lines configured on our Cisco gears, switches, router & ASA.

However our ACS 3.3 ver does not seems to be capturing commands used by CLI users.

1

2

3

4

5

6

aaa authentication login default group tacacs+ local

aaa authentication login VTYLogin group tacacs+ local

aaa authentication login CONLogin group tacacs+ local

aaa authentication enable default enable

aaa authorization exec default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

These 13 lines of configuration I have on our ASA 8.2

1

2

3

5

6

7

8

9

10

11

12

13

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host x.x.x.19

timeout 30

key cxxxxxxxr

aaa-server RADIUS (inside) host x.x.x.20

key cxxxxxxxr

aaa-server SDI protocol sdi

aaa-server SDI (inside) host x.x.x.64

aaa authentication ssh console RADIUS LOCAL

aaa authentication http console RADIUS

aaa authentication telnet console RADIUS LOCAL

aaa authentication secure-http-client

These 15 lines of configuration, I have used before at other organisation that I have worked at.

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

aaa authentication login default line

aaa authentication login VTYLogin group tacacs+ line

aaa authentication login CONLogin group tacacs+ line

aaa authorization config-commands

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 0 default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 4 default group tacacs+

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting send stop-record authentication failure

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

Your input is highly appreciated and rated.

Javier Henderson · ‎08-26-2014

Try looking at the TACACS+ Administration report, rather than the Accounting report.

View solution in original post

nspasov · ‎07-17-2014

Upgrade to 5.x :) Accounting is soooo much nicer.

Sorry I cannot be much more help as I have not touched 3.x in a really long time.

Thank you for rating helpful posts!

rizwanr74 · ‎07-18-2014

Hi Neno,

Thank you for your response.

Upgrading to version 5, requires fully-blown appliance purchase from Cisco, whereas our current version, sits on the one of the VM infrastructure.

Unless there is a version 5 can be install on a vm nod, regardless it should be able to do accounting for CLI users.

thanks

nspasov · ‎07-18-2014

Absolutely! 5.x family of ACS can be installed in a virtual environment:

http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-5/installation/guide/csacs_book/csacs_vmware.html

Thank you for rating helpful posts!

Javier Henderson · ‎08-11-2014

On the IOS configuration shown, you have command accounting for privilege level 15 commands, but not for level 1. Thus, commands that are executed at level 1 (for example "show clock") will not be sent to the accounting server.

Are you seeing level 15 commands sent to the accounting server?

Javier Henderson

Cisco Systems

rizwanr74 · ‎08-14-2014

Hi Javier,

Thank you very much for taking the time to reply to my post.

I tried below both lines as well, and then I still I don't see any used commands are being recorded in ACS server.

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting commands 15 default start-stop group tacacs+

To be more precious, I copied all below lines as well and switch did accepted them without any issue, and yet I don't see used commands are being recorded in the ACS.

aaa authentication login default line

aaa authentication login VTYLogin group tacacs+ line

aaa authentication login CONLogin group tacacs+ line

aaa authorization config-commands

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 0 default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 4 default group tacacs+

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting send stop-record authentication failure

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

Thanks

Rizwan Rafeek.

Javier Henderson · ‎08-25-2014

Keep in mind that the configuration that you posted will only account commands executing at privilege level 15, for example "show running-config". On the other hand, any other priv level will not be accounted. For example, "show clock" executes at level 1, so it will not show up on ACS.

What report are you looking at on ACS?

Also, can you enable the following debugs, and paste the output when you try to execute commands?

debug tacacs

debug aaa accounting

Javier Henderson

Cisco Systems

rizwanr74 · ‎08-26-2014

Hi Javier,

Thank you for reply.

I have attached a screen-shot from ACS server, and you can see there is very last column is "CMD" in the image and column is empty does not display any commands used.

thanks.

Javier Henderson · ‎08-26-2014

Try looking at the TACACS+ Administration report, rather than the Accounting report.

rizwanr74 · ‎08-26-2014

Hi Javier,

You are right, thanks a million for your inside.

thanks,

Accounting on ACS 3.3, doesn't seem to be working.