Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACS 5.3 Tacacs Authorization logs

Hi All,

Anyone has noticed tacacs authorization logs when you change password for a user ?? in authorization logs I can see the new password but same I can not see in accounting logs ? is it a normal behaviour ?? or do we need to do something to hide the password in authorization logs ?

For example if i type command username xyz priv 15 secret cisco 123

I see this command in accounting logs as uername xyz oriv 15 secret *** where as in tacacs authorization logs it shows

username xyz priv 15 secret cisco 123

any clue ?

1 REPLY
Silver

ACS 5.3 Tacacs Authorization logs

Hello Jain,

I would say that you are facing a normal behavior. The IOS needs to send the Authorization request including the command arguments for the ACS to authorize them.

We need to be able to see the "password" argument on the ACS side in order for it to authorize it. Imagine the following:

The ACS is configured to allow a restricted user to create a local account with password "cisco" only. The following command would be executed on the IOS side

username restricted privilege 1 password cisco

On the ACS side we create a Command Set that only allows the creation of the "restricted" user with password "cisco" and not any other password value. The ACS needs to be able to read that value, therefore, it should be on clear text on the ACS side. If the restricted user tries to create another account with password "cisco123" or something else other than "cisco" which is the allowed value the ACS will reject it.

For accounting there is no need to know the password. Being that said, the accounting request with be logged with ***** instead of the real password.

Hope this clarifies it as you are facing a normal behavior.

516
Views
0
Helpful
1
Replies