Solved: TACACS + Command Logging Problems

Jkloza_2 · ‎05-10-2010

All,

Working on a problem that I'm having getting command logging setup for my switch / router infrastructure. Below is my config, authentication is working, both console & SSH. Authorization is also working. Some of my accounting features are working, like successful TACACS+ logins, but all my command logging features are not working properly.

I'm currently running ACS V4.1. Also, what is the difference between using named auth / accounting lists, and the default? Is it just that I need to apply them to certian interfaces, where the default is applied to all interfaces?

Configs:

aaa new-model

aaa authentication login SSH group tacacs+ local
aaa authentication login CONSOLE local
aaa authorization console
aaa authorization exec CONSOLE local
aaa authorization exec SSH group tacacs+
aaa authorization network CONSOLE local
aaa authorization network SSH group tacacs+
aaa accounting exec SSH start-stop group tacacs+
aaa accounting commands 0 SSH start-stop group tacacs+
aaa accounting commands 1 SSH start-stop group tacacs+
aaa accounting commands 15 SSH start-stop group tacacs+
aaa accounting network SSH start-stop group tacacs+

access-list 1 permit X.X.56.0 0.0.0.255
tacacs-server host X.X.X.X key XXXXXXXXXXXXX
tacacs-server timeout 30
tacacs-server directed-request
!
control-plane
!
!
line con 0
session-timeout 10
authorization exec CONSOLE
login authentication CONSOLE
line vty 0 4
session-timeout 10
access-class 1 in
authorization exec SSH
accounting commands 0 SSH
accounting commands 1 SSH
accounting commands 15 SSH
accounting exec SSH
login authentication SSH
transport input ssh
line vty 5 15
session-timeout 10
access-class 1 in
authorization exec SSH
accounting commands 0 SSH
accounting commands 1 SSH
accounting commands 15 SSH
accounting exec SSH
login authentication SSH
transport input ssh

Any help is appreciated.

Thanks!

Jon

kush.sri86 · ‎05-11-2010

Hi Jon,

Could you let us know the exact version of the ACS? If it's the ACS 4.1.1.23, then you would have to apply the latest patch of ACS as there is a bug in ACS 4.1.1.23 in which command accounting does not work.

Here is the information about the bug:

CSCsg97429:

TACACS+ Command Accounting does not work in ACS 4.1(1) Build 23.

Symptom:

TACACS+ Command Accounting does not work in ACS 4.1(1) Build 23.
No accounting records are seen in the TACACS+ Administration log.

Conditions:

Command accounting is configured on the NAS. After entering commands on the NAS
no records are seen in the TACACS+ Administration log file. Debugs on the NAS show
the records being sent, and they do arrive at the ACS server, but the appropriate
log file is not updated.

View solution in original post

Jatin Katyal · ‎05-12-2010

Jon,


Looks like you are running 4.1.1.23, In order to get this fixed, you need to either apply patch 5 on current version 
i.e 4.1.1.23 or completey upgrade the ACS to lates code.

You may download the patch 5 from the below mentioned link:

NOTE: This is applicable only for ACS windows.

http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-3des

Readme for ACS 4.1.1.23.5 accumulative patch

ACS 4.1.1.23.5 accumulative patch

Regds,
JK

Do rate helpul posts-

~Jatin

View solution in original post

Javier Henderson · ‎05-11-2010

"default" implies it will apply to any interface for which a specific method has not been defined.

On ACS, the start/stop will go to TACACS+ accounting, and the command accounting will go to TACACS+ administration. Are you not seeing the command accounting on either report?

Jkloza_2 · ‎05-11-2010

Thanks for the reply! No, i'm not seeing the command logging in either the accounting, or the tacacs administraton reports. Not really sure where to go from here.

Thanks!

Jon

Javier Henderson · ‎05-11-2010

On the switch:

debug aaa accounting

debug tacacs

On ACS:

System Configuration -> Service Control and set the log level detail to full, and restart the services

Then, reproduce the problem, capture the debug output, and post it here. Depending on what we see, we might need to look at the ACS logs.

Jkloza_2 · ‎05-11-2010

Attached is the log.

Thanks!

Jon

Javier Henderson · ‎05-11-2010

This looks fine:

3d22h: AAA/ACCT(00000034): Accounting method=tacacs+ (TACACS+)
3d22h: TPLUS: Queuing AAA Accounting request 52 for processing
3d22h: TPLUS: processing accounting request id 52
3d22h: TPLUS: Sending AV task_id=114
3d22h: TPLUS: Sending AV timezone=UTC
3d22h: TPLUS: Sending AV service=shell
3d22h: TPLUS: Sending AV priv-lvl=15
3d22h: TPLUS: Sending AV cmd=write memory
3d22h: TPLUS: Accounting request created for 52(testusr)
3d22h: TPLUS: using previously set server X.X.X.X from group tacacs+
3d22h: TPLUS(00000034)/0/NB_WAIT/36C23C0: Started 30 sec timeout
3d22h: TPLUS(00000034)/0/NB_WAIT: socket event 2
3d22h: TPLUS(00000034)/0/NB_WAIT: wrote entire 115 bytes request
3d22h: TPLUS(00000034)/0/READ: socket event 1
3d22h: TPLUS(00000034)/0/READ: Would block while reading
3d22h: TPLUS(00000034)/0/READ: socket event 1
3d22h: TPLUS(00000034)/0/READ: read entire 12 header bytes (expect 5 bytes data)
3d22h: TPLUS(00000034)/0/READ: socket event 1
3d22h: TPLUS(00000034)/0/READ: read entire 17 bytes response
3d22h: TPLUS(00000034)/0/36C23C0: Processing the reply packet
3d22h: TPLUS: Received accounting response with status PASS

On ACS, look in the log directories for the CSTacacs and CSLog services, and find the entries corresponding to the above.

Incidentally, you may want to make the timestamps on the router be datetime rather than uptime, it makes it esaier to correlate logs.

service timestamp debug datetime localtime msec

service timestamp log datetime localtime msec

kush.sri86 · ‎05-11-2010

Hi Jon,

Could you let us know the exact version of the ACS? If it's the ACS 4.1.1.23, then you would have to apply the latest patch of ACS as there is a bug in ACS 4.1.1.23 in which command accounting does not work.

Here is the information about the bug:

CSCsg97429:

TACACS+ Command Accounting does not work in ACS 4.1(1) Build 23.

Symptom:

TACACS+ Command Accounting does not work in ACS 4.1(1) Build 23.
No accounting records are seen in the TACACS+ Administration log.

Conditions:

Command accounting is configured on the NAS. After entering commands on the NAS
no records are seen in the TACACS+ Administration log file. Debugs on the NAS show
the records being sent, and they do arrive at the ACS server, but the appropriate
log file is not updated.

Jatin Katyal · ‎05-12-2010

Jon,


Looks like you are running 4.1.1.23, In order to get this fixed, you need to either apply patch 5 on current version 
i.e 4.1.1.23 or completey upgrade the ACS to lates code.

You may download the patch 5 from the below mentioned link:

NOTE: This is applicable only for ACS windows.

http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-3des

Readme for ACS 4.1.1.23.5 accumulative patch

ACS 4.1.1.23.5 accumulative patch

Regds,
JK

Do rate helpul posts-

~Jatin

sohail_sarwar · ‎12-22-2010

nothing to download from the url http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-3des

please help as i am facing similar issue

Jagdeep Gambhir · ‎12-23-2010

Hi Sohail,

You may need to open a TAC case for that.

Regards,

~JG

Do rate helpful posts