07-17-2014 07:33 AM - edited 03-10-2019 09:52 PM
Hi Guys,
I have following 6 lines configured on our Cisco gears, switches, router & ASA.
However our ACS 3.3 ver does not seems to be capturing commands used by CLI users.
1 2 3 4 5 6 | aaa authentication login default group tacacs+ local aaa authentication login VTYLogin group tacacs+ local aaa authentication login CONLogin group tacacs+ local aaa authentication enable default enable aaa authorization exec default group tacacs+ local aaa accounting exec default start-stop group tacacs+ |
These 13 lines of configuration I have on our ASA 8.2
1 2 3 5 6 7 8 9 10 11 12 13 | aaa-server RADIUS protocol radius aaa-server RADIUS (inside) host x.x.x.19 timeout 30 key cxxxxxxxr aaa-server RADIUS (inside) host x.x.x.20 key cxxxxxxxr aaa-server SDI protocol sdi aaa-server SDI (inside) host x.x.x.64 aaa authentication ssh console RADIUS LOCAL aaa authentication http console RADIUS aaa authentication telnet console RADIUS LOCAL aaa authentication secure-http-client |
These 15 lines of configuration, I have used before at other organisation that I have worked at.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | aaa authentication login default line aaa authentication login VTYLogin group tacacs+ line aaa authentication login CONLogin group tacacs+ line aaa authorization config-commands aaa authorization exec default group tacacs+ if-authenticated aaa authorization commands 0 default group tacacs+ if-authenticated aaa authorization commands 1 default group tacacs+ if-authenticated aaa authorization commands 4 default group tacacs+ aaa authorization commands 15 default group tacacs+ if-authenticated aaa accounting send stop-record authentication failure aaa accounting exec default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting network default start-stop group tacacs+ aaa accounting connection default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ |
Your input is highly appreciated and rated.
Solved! Go to Solution.
08-26-2014 07:07 AM
Try looking at the TACACS+ Administration report, rather than the Accounting report.
07-17-2014 05:33 PM
Upgrade to 5.x :) Accounting is soooo much nicer.
Sorry I cannot be much more help as I have not touched 3.x in a really long time.
Thank you for rating helpful posts!
07-18-2014 09:17 AM
Hi Neno,
Thank you for your response.
Upgrading to version 5, requires fully-blown appliance purchase from Cisco, whereas our current version, sits on the one of the VM infrastructure.
Unless there is a version 5 can be install on a vm nod, regardless it should be able to do accounting for CLI users.
thanks
07-18-2014 09:17 AM
Absolutely! 5.x family of ACS can be installed in a virtual environment:
Thank you for rating helpful posts!
08-11-2014 06:42 AM
On the IOS configuration shown, you have command accounting for privilege level 15 commands, but not for level 1. Thus, commands that are executed at level 1 (for example "show clock") will not be sent to the accounting server.
Are you seeing level 15 commands sent to the accounting server?
Javier Henderson
Cisco Systems
08-14-2014 07:08 AM
Hi Javier,
Thank you very much for taking the time to reply to my post.
I tried below both lines as well, and then I still I don't see any used commands are being recorded in ACS server.
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting commands 15 default start-stop group tacacs+
To be more precious, I copied all below lines as well and switch did accepted them without any issue, and yet I don't see used commands are being recorded in the ACS.
aaa authentication login default line aaa authentication login VTYLogin group tacacs+ line aaa authentication login CONLogin group tacacs+ line aaa authorization config-commands aaa authorization exec default group tacacs+ if-authenticated aaa authorization commands 0 default group tacacs+ if-authenticated aaa authorization commands 1 default group tacacs+ if-authenticated aaa authorization commands 4 default group tacacs+ aaa authorization commands 15 default group tacacs+ if-authenticated aaa accounting send stop-record authentication failure aaa accounting exec default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting network default start-stop group tacacs+ aaa accounting connection default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ |
Thanks
Rizwan Rafeek.
08-25-2014 06:34 PM
Keep in mind that the configuration that you posted will only account commands executing at privilege level 15, for example "show running-config". On the other hand, any other priv level will not be accounted. For example, "show clock" executes at level 1, so it will not show up on ACS.
What report are you looking at on ACS?
Also, can you enable the following debugs, and paste the output when you try to execute commands?
debug tacacs
debug aaa accounting
Javier Henderson
Cisco Systems
08-26-2014 06:40 AM
08-26-2014 07:07 AM
Try looking at the TACACS+ Administration report, rather than the Accounting report.
08-26-2014 07:23 AM
Hi Javier,
You are right, thanks a million for your inside.
thanks,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide