02-06-2007 12:40 PM - edited 03-10-2019 02:58 PM
Good day all,
I just finished installing a brand new server with ACS 4.1.
When this new ACS 4.1 installation is approved, I will retire my old server that has ACS 3.1.
At this point the only problem that I have with ACS 4.1 is with accounting.
For example:
I used a test-router with all the necessary config pointing to my old ACS 3.1. Everything is working fine (authentication and accounting). If I enter a command on the test-router it is log on the ACS 3.1.
Now, if I modify the test-router to point to the new ACS 4.1, the ACS 4.1 will authenticate the test-router properly, but will not log any command I enter in the test-router. I did a capture between the test-router and ACS 4.1 and the test-router is sending accounting statement to ACS 4.1.
There is a lot a different config from ACS 3.1 to 4.1, but as far as I can see the config on both ACS is as similar as possible.
Is there anybody out there that was able to have ACS 4.1 to process accounting properly?
Any idea will help.
Thanks
Frank
Here my config:
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login NO-AUTH none
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 start-stop group tacacs+
aaa authorization commands 15 start-stop group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs
!
tacacs-server host 192.168.100.16 key *******
(the above command is the only command that I change for pointing to ACS 3.1 or ACS 4.1)
tacacs-server directed-request
Solved! Go to Solution.
02-07-2007 10:31 AM
Please use the following link. There is 4.1 accumulative patch which contains the bug fix.
http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-3des
Dont forget to download the readme text file also.
Rate me if this helps.
02-07-2007 12:02 AM
DO you know if the accounting is definately arriving at the 4.1 server?
If you dont have a sniffer and you have the SW ACS you can do this
>net stop cstacacs
>cstacacs -z -e
You'll see all the T+ packets dumped to the command prompt window. If stuff is arriving you know it has to be an ACS issue - most likely config.
Darran
02-07-2007 03:19 AM
ACS 4.1.1.23 build has a bug on TACACS command accounting. The patch for this has been released and is available on CCO.
02-07-2007 05:15 AM
Good day,
If possible, could you please put the link for this patch. I can not find it in CCO.
Thanks
Frank.
02-07-2007 10:31 AM
Please use the following link. There is 4.1 accumulative patch which contains the bug fix.
http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-3des
Dont forget to download the readme text file also.
Rate me if this helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide