I have configured an ASA running 7.2.3 code to do authentication, authorization, and accounting to an ACS server. The authentication and command shell authorization is working fine, but it seems that the accounting portion is not.
Previously I was running ACS 4.1.1 build 23 (unpatched) and I was getting accounting messages in the TACACS+ Accounting log which showed a user and a login but no commands. When I did a 'show aaa-server TACACS' from the ASA prompt it was showing Auhtorization requests and Accounting requests and incrementing accepts properly with no rejects, but nothing was showing up in the TACACS+ Accounting or TACACS+ Administration logs (i.e. when a command was executed).
I applied 4.1.1 build 23 (patch 5) which is supposed to fix a number of issues but now I get any authorization request increments with a accept and any accounting request increments a reject. My ASA configuration is below:
aaa authentication telnet console LOCAL
aaa authentication ssh console TACACS LOCAL
aaa authentication enable console TACACS LOCAL
aaa authentication http console TACACS LOCAL
aaa authorization command TACACS LOCAL
aaa accounting enable console TACACS
aaa accounting command TACACS
Here is a snippet of the 'show aaa-server TACACS' command:
Server status: ACTIVE, Last transaction at 10:12:27 EST Tue Feb 12 2008
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...