I have configured an ASA running 7.2.3 code to do authentication, authorization, and accounting to an ACS server. The authentication and command shell authorization is working fine, but it seems that the accounting portion is not.

Previously I was running ACS 4.1.1 build 23 (unpatched) and I was getting accounting messages in the TACACS+ Accounting log which showed a user and a login but no commands. When I did a 'show aaa-server TACACS' from the ASA prompt it was showing Auhtorization requests and Accounting requests and incrementing accepts properly with no rejects, but nothing was showing up in the TACACS+ Accounting or TACACS+ Administration logs (i.e. when a command was executed).

I applied 4.1.1 build 23 (patch 5) which is supposed to fix a number of issues but now I get any authorization request increments with a accept and any accounting request increments a reject. My ASA configuration is below:

aaa authentication telnet console LOCAL

aaa authentication ssh console TACACS LOCAL

aaa authentication enable console TACACS LOCAL

aaa authentication http console TACACS LOCAL

aaa authorization command TACACS LOCAL

aaa accounting enable console TACACS

aaa accounting command TACACS

Here is a snippet of the 'show aaa-server TACACS' command:

Server status: ACTIVE, Last transaction at 10:12:27 EST Tue Feb 12 2008

Number of pending requests 0

Average round trip time 20ms

Number of authentication requests 0

Number of authorization requests 16

Number of accounting requests 7

Number of retransmissions 0

Number of accepts 16

Number of rejects 7

Number of challenges 0

Number of malformed responses 0

Number of bad authenticators 0

Number of timeouts 0

Number of unrecognized responses 0

Any ideas?