Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Keystroke logging

Using ACS and tacacs+ can I record the keystrokes users type when they enter commands on a device such as a router or switch?

1 ACCEPTED SOLUTION

Accepted Solutions
Community Member

Re: Keystroke logging

Yes , you can record whatever commands a user has run on the Cisco IOS box . For this you need to firstly configure command authorization on the IOS device along with the accounting. Below are the commands that you need.

aaa new-model

aaa authentication login default group tacacs local

aaa authorization exec default group tacacs if-autheticated

aaa authorization commands 0 default group tacacs if-authenticated

aaa authorization commands 1 default group tacacs if-authenticated

aaa authorization commands 15 default group tacacs if-authenticated

aaa accounting commands 0 default group tacacs

aaa accounting commands 1 default group tacacs

aaa accounting commands 15 default group tacacs

tacacs-server host x.x.x.x ket

We also need to configure command authorization in ACS server using the below link ( Note : this link show the sample configuration of ACS using PIX but you can configure the IOS devices similarly)

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2086/products_configuration_guide_chapter09186a00801fd7cb.html

Once we have configured the ACS and the IOS devices you can check the commands run by users in ACS by going to Reports & Activities > Tacacs admin logs .

1 REPLY
Community Member

Re: Keystroke logging

Yes , you can record whatever commands a user has run on the Cisco IOS box . For this you need to firstly configure command authorization on the IOS device along with the accounting. Below are the commands that you need.

aaa new-model

aaa authentication login default group tacacs local

aaa authorization exec default group tacacs if-autheticated

aaa authorization commands 0 default group tacacs if-authenticated

aaa authorization commands 1 default group tacacs if-authenticated

aaa authorization commands 15 default group tacacs if-authenticated

aaa accounting commands 0 default group tacacs

aaa accounting commands 1 default group tacacs

aaa accounting commands 15 default group tacacs

tacacs-server host x.x.x.x ket

We also need to configure command authorization in ACS server using the below link ( Note : this link show the sample configuration of ACS using PIX but you can configure the IOS devices similarly)

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2086/products_configuration_guide_chapter09186a00801fd7cb.html

Once we have configured the ACS and the IOS devices you can check the commands run by users in ACS by going to Reports & Activities > Tacacs admin logs .

468
Views
0
Helpful
1
Replies
CreatePlease to create content