Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

TACACS+ Accounting Question

Dear all,


I would like to know TACACS+ accounting option in cisco.

We deployed AAA machine which is Avenda in our operation network and able to capture accounting commands ONLY for valid commands. Does the TACACS+ also can capture invalid commands and send to Avenda (Our AAA machine) ?

Please help to clarify.

Everyone's tags (2)
3 ACCEPTED SOLUTIONS

Accepted Solutions

Re: TACACS+ Accounting Question

Hi,

This is something device specific. In case of IOS it forwards only valid commands to tacacs server. Example- If we issue command "show user" it will log it and if we issue command "show dog" it will not be logged.

Hope that helps!

Regards,

~JG

Do rate helpful posts

TACACS+ Accounting Question

JG:
Thanks for the info. I didn't know that unknown commands are not being logged with IOS.

Useful info though.

Thanks.

Amjad

You want to say "Thank you"?
Don't. Just rate the useful answers,
that is more useful than "Thank you".

Rating useful replies is more useful than saying "Thank you"

Re: TACACS+ Accounting Question

No, if the command is invalid it will not be authorized so no accounting will be performed. Keep in mind that accounting is the step that is performed after authorization. If a command is not authorized then accounting can not take place.

Sent from Cisco Technical Support iPad App

Tarik Admani *Please rate helpful posts*
7 REPLIES

Re: TACACS+ Accounting Question

Hi,

This is something device specific. In case of IOS it forwards only valid commands to tacacs server. Example- If we issue command "show user" it will log it and if we issue command "show dog" it will not be logged.

Hope that helps!

Regards,

~JG

Do rate helpful posts

TACACS+ Accounting Question

JG:
Thanks for the info. I didn't know that unknown commands are not being logged with IOS.

Useful info though.

Thanks.

Amjad

You want to say "Thank you"?
Don't. Just rate the useful answers,
that is more useful than "Thank you".

Rating useful replies is more useful than saying "Thank you"
New Member

TACACS+ Accounting Question

Hi Jagdeep,

Thanks for the useful info. Understood that the IOS version does not sent invalid command. Can i know how about the IOS-XR? Because we are using that particular as well.

Thanks

TACACS+ Accounting Question

Ios-xr is a little different, the software will see which task group the user is mapped to. If the command falls under the task umbrella of the user then accounting will be permitted. Also this works the same for command authorization.

Tarik Admani *Please rate helpful posts*
New Member

TACACS+ Accounting Question

Hi Thanks, but does it captured the invalid commands and send to accounting AAA server?

Re: TACACS+ Accounting Question

No, if the command is invalid it will not be authorized so no accounting will be performed. Keep in mind that accounting is the step that is performed after authorization. If a command is not authorized then accounting can not take place.

Sent from Cisco Technical Support iPad App

Tarik Admani *Please rate helpful posts*
New Member

Re: TACACS+ Accounting Question

Excellent therothical reply! Great man!

502
Views
10
Helpful
7
Replies