Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
620
Views
0
Helpful
5
Replies

Cisco Secure ACS

josephn
Level 1
Level 1

‎09-12-2006 05:39 PM - edited ‎03-10-2019 02:44 PM

Hi,

I would like to know is there a way to perform audit trail for the network devices (router/switch using Cisco Secure ACS. At the moment, the ACS only provides information who and where the person logged into the network, but there is no detailed information about the commands issued on the router or switch. Is there something needs to be configured on the ACS and also the router and switch in order to have full details of the commands configured on the network devices from the ACS logs ?

Labels:
0 Helpful
5 Replies 5

a.kiprawih
Level 7
Level 7

‎09-12-2006 09:57 PM

Hi,

Cisco ACS can actually provide accounting on commands executed by the admin/operator whenever they access routers and switches.

There are 2 parts need to be done:

1. Configure ACS Server:

- add router/switch as AAA Client in ACS (http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a0080205a54.html#wp597030)

- need to provide hostname, IP Address, secret key between ACS and AAA clients, use TACACS+ as mandatory authentication protocol.

- In your existing group and user ID, you can maintain the database where users are authenticated against.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a0080205a5c.html

2. Configure Router/Switch

- enable aaa (see http://www.cisco.com/en/US/products/hw/switches/ps708/products_module_configuration_guide_chapter09186a0080577bde.html for example)

- configure/add ACS server as tacacs-server. Use same secret key applied in ACS when adding the device as AAA Client.

- (optional) - define tacacs "ip tacacs source-interface"

But I assumed you already configured your router/switch with AAA, except no auditting on commands executed by the operator/admin.

What you need to add is the "aaa accounting" parameter:

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

Rgds,

AK

0 Helpful

josephn
Level 1
Level 1
In response to a.kiprawih

‎09-12-2006 10:37 PM

Hi AK,

I had tested it just now and it's working fine. Thank you so much for your help.

regards,

Joseph

0 Helpful

darpotter
Level 5
Level 5
In response to josephn

‎09-13-2006 04:56 AM

Hi

Generating the logs is of course only the start of the story.

To do something meaningful with it you need an application like aaa-reports! We're totally focused on AAA and have a free trial for download:

www.extraxi.com/requesttrial.htm

Regards

Darran

0 Helpful

a.kiprawih
Level 7
Level 7
In response to josephn

‎09-13-2006 02:10 PM

I think, the 'aaa accounting' part is what you really need for the auditing purposes.

Pls rate all useful post(s).

Rgds,

AK

0 Helpful

darpotter
Level 5
Level 5
In response to a.kiprawih

‎09-13-2006 10:34 PM

Lets be clear, having aaa accounting enabled provides the raw data for audit.

It doesnt tick the "audit.. job done" box.

When you have a quarters worth of logs and need to know who did what to a specific device on a given day on a given interface because an external auditor is asking - you'll be greatful for giving aaa-reports! a try.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents