Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

TACACS Accounting

I have implemented a Cisco Secure ACS with TACACS protocol. We have network connectivity issues and whenever that happens TACACS fallsback to local database. Is there any way to enable capturing of the commands executed when ACS go offline.May be when ACS comes back those commands(accounting) can be send to it by the device itself.

My requirement may seem wierd. But I strongly beleive everything is possible with Cisco :)

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: TACACS Accounting

What you are asking for is to have the IOS T+ client cache the commands and then forward them to the ACS once the T+ client can once again communicate with ACS. Yes? Per IOS T+ controls, no, this is not available. The T+ connection will fail and fall back to either another T+ server or stop sending accounting records.

The only solution here is to have two ACS servers online and have the T+ fall back to the secondary ACS in the event of loss of connection to the primary. Then, have both ACSes forward the accounting records to a third server, either ACS or syslog. This assumes, of course, that the T+ client doesn't lose connectivity to both ACSes.

6 REPLIES
Hall of Fame Super Silver

Re: TACACS Accounting

Aneesh

It is true that we can do very many things with Cisco. But I am not aware of any way to have accounting records sent to ACS after connectivity is restored for commands issued while there was a loss of connectivity.

HTH

Rick

New Member

Re: TACACS Accounting

What you are asking for is to have the IOS T+ client cache the commands and then forward them to the ACS once the T+ client can once again communicate with ACS. Yes? Per IOS T+ controls, no, this is not available. The T+ connection will fail and fall back to either another T+ server or stop sending accounting records.

The only solution here is to have two ACS servers online and have the T+ fall back to the secondary ACS in the event of loss of connection to the primary. Then, have both ACSes forward the accounting records to a third server, either ACS or syslog. This assumes, of course, that the T+ client doesn't lose connectivity to both ACSes.

New Member

Re: TACACS Accounting

Thanks Rick & Jeff fo your valuable suggestions. I would explore the option of having a secondary ACS server.

Silver

Re: TACACS Accounting

If AAA accounting is what you're concerned

with, why even bother purchasing a secondary

ACS server? You can use Freeware tacacs+

server running on either Linux or Solaris.

I use it in my enterprise environment and

it is a very stable application.

In the era of IT budget cut, this is a

very attractive solution.

my 2c.

New Member

Re: TACACS Accounting

Can I use ODBC logging from primary and secondary ACS to unique remote database.

Now I'm using a local database on primary server only, so when it fails I not able to log any entry.

Thanks.

Regards.

Andrea.

Silver

Re: TACACS Accounting

Hi Andrea

I would not recommend ODBC logging as execution threads inside ACS become blocked while the data is logged into the remote database.

If your ACS server is under load this can cause incoming requests to be dropped.

Have you considered logging locally (just to CSV) then using a tool such as our csvsync? CSvsync uses nothing but http(s) to collect logs from any number of ACS servers and supports multi-version/platform.

If you need the logs in a database our aaa-reports! enterprise product uses builtin SQL server databases and has web reporting.

http://www.extraxi.com/aaare.htm

289
Views
5
Helpful
6
Replies