Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Silver

Sending AAA accouting log records to multiple AAA servers

IOS version c3640-a3jk9s-mz.123-18.bin

aaa group server tacacs+ cciesec

server 192.168.3.10

!

aaa group server tacacs+ ccievoice

server 192.168.3.11

aaa authentication login VTY group cciesec local

aaa accounting exec cciesec start-stop broadcast group cciesec group ccievoice

aaa accounting commands 0 cciesec start-stop broadcast group cciesec group ccievoice

aaa accounting commands 1 cciesec start-stop broadcast group cciesec group ccievoice

aaa accounting commands 15 cciesec start-stop broadcast group cciesec group ccievoice

tacacs-server host 192.168.3.10 key 123456

tacacs-server host 192.168.3.11 key 123456

C3640#sh tacacs

Tacacs+ Server : 192.168.3.10/49

Socket opens: 8

Socket closes: 8

Socket aborts: 0

Socket errors: 0

Socket Timeouts: 0

Failed Connect Attempts: 0

Total Packets Sent: 21

Total Packets Recv: 21

Tacacs+ Server : 192.168.3.11/49

Socket opens: 0

Socket closes: 0

Socket aborts: 0

Socket errors: 0

Socket Timeouts: 0

Failed Connect Attempts: 0

Total Packets Sent: 0

Total Packets Recv: 0

C3640#

As you can see, I can receive AAA accounting logs on server 192.168.3.10 but I am not getting logs on 192.168.3.11. I can confirm this with

tcpdump on host 192.168.3.11 and that I am not seeing any sent AAA to host 192.168.3.11.

Anyone know why?

3 REPLIES
Hall of Fame Super Silver

Re: Sending AAA accouting log records to multiple AAA servers

David

I have not tested this and do not have authoritative knowledge of it. But usually when you configure multiple parameters in a method list they are used as backups for each other. So the second group would typically be used only if attempts to use the first group failed. The behavior that you describe is consistent with this, so I assume that this may be the explanation.

HTH

Rick

Silver

Re: Sending AAA accouting log records to multiple AAA servers

http://www.cisco.com/en/US/docs/ios/12_1t/12_1t1/feature/guide/dt_aaaba.html

It stated the following:

"Before the introduction of the AAA Broadcast Accounting feature, Cisco IOS AAA could send accounting information to only one server at a time. This feature allows accounting information to be sent to one or more AAA servers at the same time. Service providers are thus able to simultaneously send accounting information to their own private AAA servers and to the AAA servers of their end customers. This feature also provides redundant billing information for voice applications."

Hall of Fame Super Silver

Re: Sending AAA accouting log records to multiple AAA servers

David

This appears to be an interesting feature and one I was not familiar with.

If you change the order of groups in the accounting command and put ccievoice before cciesec do the accounting records start going to the .11 server?

HTH

Rick

143
Views
0
Helpful
3
Replies