Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Accounting on ACS 3.3, doesn't seem to be working.

Hi Guys,

I have following 6 lines configured on our Cisco gears, switches, router & ASA.

However our ACS 3.3 ver does not seems to be capturing commands used by CLI users.

1

2

3

4

5

6

aaa authentication login default group tacacs+ local

aaa authentication login VTYLogin group tacacs+ local

aaa authentication login CONLogin group tacacs+ local

aaa authentication enable default enable

aaa authorization exec default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

 

These 13 lines of configuration I have on our ASA 8.2

1

2

3

5

6

7

8

9

10

11

12

13

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host x.x.x.19

 timeout 30

 key cxxxxxxxr

aaa-server RADIUS (inside) host x.x.x.20

 key cxxxxxxxr

aaa-server SDI protocol sdi

aaa-server SDI (inside) host x.x.x.64

aaa authentication ssh console RADIUS LOCAL

aaa authentication http console RADIUS

aaa authentication telnet console RADIUS LOCAL

aaa authentication secure-http-client

 

These 15 lines of configuration, I have used before at other organisation that I have worked at.

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

aaa authentication login default line

aaa authentication login VTYLogin group tacacs+ line

aaa authentication login CONLogin group tacacs+ line

aaa authorization config-commands

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 0 default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 4 default group tacacs+

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting send stop-record authentication failure

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

 

Your input is highly appreciated and rated.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Try looking at the TACACS+

Try looking at the TACACS+ Administration report, rather than the Accounting report.

9 REPLIES
Cisco Employee

Upgrade to 5.x :) Accounting

Upgrade to 5.x :) Accounting is soooo much nicer. 

Sorry I cannot be much more help as I have not touched 3.x in a really long time. 

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!

Hi Neno, Thank you for your

Hi Neno,

 

Thank you for your response.

Upgrading to version 5, requires fully-blown appliance purchase from Cisco, whereas our current version, sits on the one of the VM infrastructure.

Unless there is a version 5 can be install on a vm nod, regardless it should be able to do accounting for CLI users.

thanks

Cisco Employee

Absolutely! 5.x family of ACS

Absolutely! 5.x family of ACS can be installed in a virtual environment:

http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-5/installation/guide/csacs_book/csacs_vmware.html

 

Thank you for rating helpful posts! 

Thank you for rating helpful posts!
Cisco Employee

On the IOS configuration

On the IOS configuration shown, you have command accounting for privilege level 15 commands, but not for level 1. Thus, commands that are executed at level 1 (for example "show clock") will not be sent to the accounting server.

Are you seeing level 15 commands sent to the accounting server?

 

Javier Henderson

Cisco Systems

Hi Javier, Thank you very

Hi Javier,

 

Thank you very much for taking the time to reply to my post.

I tried below both lines as well, and then I still I don't see any used commands are being recorded in ACS server.

 

aaa authorization commands 15 default group tacacs+ if-authenticated 

aaa accounting commands 15 default start-stop group tacacs+

 

To be more precious, I copied all below lines as well and switch did accepted them without any issue, and yet I don't see used commands are being recorded in the ACS.

aaa authentication login default line

aaa authentication login VTYLogin group tacacs+ line

aaa authentication login CONLogin group tacacs+ line

aaa authorization config-commands

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 0 default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 4 default group tacacs+

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting send stop-record authentication failure

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

 

Thanks

Rizwan Rafeek.

Cisco Employee

Keep in mind that the

Keep in mind that the configuration that you posted will only account commands executing at privilege level 15, for example "show running-config". On the other hand, any other priv level will not be accounted. For example, "show clock" executes at level 1, so it will not show up on ACS.

What report are you looking at on ACS?

Also, can you enable the following debugs, and paste the output when you try to execute commands?

debug tacacs

debug aaa accounting

 

Javier Henderson

Cisco Systems

Hi Javier, Thank you for

Hi Javier,

 

Thank you for reply.

I have attached a screen-shot from ACS server, and you can see there is very last column is "CMD" in the image and column is empty does not display any commands used.

thanks.

 

Cisco Employee

Try looking at the TACACS+

Try looking at the TACACS+ Administration report, rather than the Accounting report.

Hi Javier,You are right,

Hi Javier,

You are right, thanks a million for your inside.

thanks,

79
Views
0
Helpful
9
Replies
CreatePlease to create content