Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

acs-5.3.0.40-B.839

i am facing difficulty to understand the meaninig of attribute value pair which i found in TACAS AAA authentication log.i came to know about the format used in the log file but attribute=value pairs are not much clear to me.i try to search on them but i was able to find some of them not all in tne acs dictionary.if anyone is having enough information on them pls let me know.here are some of the attributes

device ip address= a.b.c.d

user name=xyz

protocol=TACACS

Request latency=0

Network device Name=lab router

Type=Authentication

Action=login

privilege-level=1

Authen-type=ASCII

Service=login

User=xyz

port=tty6

Remote address=v.x.y.z

Username=xyz

Acs Sessionid=

AuthenticationIdentityStore=Internal users

Authentication method=PAP_ASCII

Selected Acess service=Default Device Admin

Selected shell profile=Enable

Identity group=All groups:zales_admin_user

i have attached the log file in which first line corressponds to authentication log.

thanks,

saurabh sharma

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions

acs-5.3.0.40-B.839

Hi,

device ip address= a.b.c.d ip address of the network device that the user is requesting access to

user name=xyz username of the authentication request

protocol=TACACS The tacacs protocol

Request latency=0 latency based on the timestamp of the authentication event, and when it arrived to ACS

Network device Name=lab router Name that was configured in ACS

Type=Authentication User is requesting to authenticate

Action=login User is logging into the device

privilege-level=1 Current priv level of the authentication

Authen-type=ASCII Using PAP ascii for authentication (typical for tacacs)

Service=login Service type is login

User=xyz This is the username

port=tty6 port that the user is connected to

Remote address=v.x.y.z This is the ip address of the user work station

Username=xyz Username again

Acs Sessionid= This is usually seen in radius requests, not needed for tacacs

AuthenticationIdentityStore=Internal users The identity store that ACS used to authenticate the end user

Authentication method=PAP_ASCII PAP/ASCII for the authentication protocol (common for TACACS)

Selected Acess service=Default Device Admin This is the service selection rule matched in ACS

Selected shell profile=Enable This is the shell profile configured in ACS that the user matched against

Identity group=All groups:zales_admin_user This is the identity group that the user matched.

As you can see ACS uses a combination of the tacacs av/pairs along with its own internal attributes that you can assign to the end user in order to make decisions. You can combine attributes such as identity group of the user and the remote address to lock down a group of users from authentication to devices from a particular workstation...for example.

Let me know if that helps you.

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
4 REPLIES

acs-5.3.0.40-B.839

Hi,

device ip address= a.b.c.d ip address of the network device that the user is requesting access to

user name=xyz username of the authentication request

protocol=TACACS The tacacs protocol

Request latency=0 latency based on the timestamp of the authentication event, and when it arrived to ACS

Network device Name=lab router Name that was configured in ACS

Type=Authentication User is requesting to authenticate

Action=login User is logging into the device

privilege-level=1 Current priv level of the authentication

Authen-type=ASCII Using PAP ascii for authentication (typical for tacacs)

Service=login Service type is login

User=xyz This is the username

port=tty6 port that the user is connected to

Remote address=v.x.y.z This is the ip address of the user work station

Username=xyz Username again

Acs Sessionid= This is usually seen in radius requests, not needed for tacacs

AuthenticationIdentityStore=Internal users The identity store that ACS used to authenticate the end user

Authentication method=PAP_ASCII PAP/ASCII for the authentication protocol (common for TACACS)

Selected Acess service=Default Device Admin This is the service selection rule matched in ACS

Selected shell profile=Enable This is the shell profile configured in ACS that the user matched against

Identity group=All groups:zales_admin_user This is the identity group that the user matched.

As you can see ACS uses a combination of the tacacs av/pairs along with its own internal attributes that you can assign to the end user in order to make decisions. You can combine attributes such as identity group of the user and the remote address to lock down a group of users from authentication to devices from a particular workstation...for example.

Let me know if that helps you.

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

acs-5.3.0.40-B.839

hi tarik,

thanks for ur reply

i want to know from where you got this information.Is there any documents releated to TACACS av/pairs and ACS own internal attributes.please mail me the docs on saurabh.saurabh015@gmail.com

i found some documents on TACACS av/pairs but the above attributes was not mentioned there.

i want the documents related to logging categories Authentication,TACACS + accounting,Administrative and operational audit.

i want to know about this line also....in AUthentication log

step=13005,step=15008,step=15004,....

what actually this sequence denotes and where i can find information on them?

Tarik Admani wrote:

Hi,

device ip address= a.b.c.d ip address of the network device that the user is requesting access to

user name=xyz username of the authentication request

protocol=TACACS The tacacs protocol

Request latency=0 latency based on the timestamp of the authentication event, and when it arrived to ACS

Network device Name=lab router Name that was configured in ACS

Type=Authentication User is requesting to authenticate

Action=login User is logging into the device

privilege-level=1 Current priv level of the authentication

Authen-type=ASCII Using PAP ascii for authentication (typical for tacacs)

Service=login Service type is login

User=xyz This is the username

port=tty6 port that the user is connected to

Remote address=v.x.y.z This is the ip address of the user work station

Username=xyz Username again

Acs Sessionid= This is usually seen in radius requests, not needed for tacacs

AuthenticationIdentityStore=Internal users The identity store that ACS used to authenticate the end user

Authentication method=PAP_ASCII PAP/ASCII for the authentication protocol (common for TACACS)

Selected Acess service=Default Device Admin This is the service selection rule matched in ACS

Selected shell profile=Enable This is the shell profile configured in ACS that the user matched against

Identity group=All groups:zales_admin_user This is the identity group that the user matched.

As you can see ACS uses a combination of the tacacs av/pairs along with its own internal attributes that you can assign to the end user in order to make decisions. You can combine attributes such as identity group of the user and the remote address to lock down a group of users from authentication to devices from a particular workstation...for example.

Let me know if that helps you.

Tarik Admani
*Please rate helpful posts*

thanks,

saurabh sharma

acs-5.3.0.40-B.839

Saurabh,

The steps are usually explained in the log as they are processed, if you look in the first column. If you are looking failure reasons you can check the Monitoring and Reports > Monitoring Configuratoin > Failed Reasons Editor, and that will give you a definition of all the failure messages.

Here is a pdf of the tacacs a/v pairs -

http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&ved=0CCUQFjAB&url=http%3A%2F%2Fwww.cisco.com%2Fen%2FUS%2Fdocs%2Fnet_mgmt%2Fcisco_secure_access_control_server_for_solution_engine%2F3.3%2Fuser%2Fguide%2Fac.pdf&ei=IHg9UKC6KYKorAGH...

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

Re: acs-5.3.0.40-B.839

Hi Tarik

Thanks for the information given above.

Can you please give me logs of ACS 5.4 and logs for above all fields.?

Also please tell me that what are the A-V pairs available in ACS 5.4 ?

Please mail me all log files on my mail id : shaileshpawar1711@gmail.com.

Thanks in advance.

730
Views
0
Helpful
4
Replies
CreatePlease to create content