05-10-2010 09:36 AM - edited 03-10-2019 05:07 PM
All,
Working on a problem that I'm having getting command logging setup for my switch / router infrastructure. Below is my config, authentication is working, both console & SSH. Authorization is also working. Some of my accounting features are working, like successful TACACS+ logins, but all my command logging features are not working properly.
I'm currently running ACS V4.1. Also, what is the difference between using named auth / accounting lists, and the default? Is it just that I need to apply them to certian interfaces, where the default is applied to all interfaces?
Configs:
aaa new-model
aaa authentication login SSH group tacacs+ local
aaa authentication login CONSOLE local
aaa authorization console
aaa authorization exec CONSOLE local
aaa authorization exec SSH group tacacs+
aaa authorization network CONSOLE local
aaa authorization network SSH group tacacs+
aaa accounting exec SSH start-stop group tacacs+
aaa accounting commands 0 SSH start-stop group tacacs+
aaa accounting commands 1 SSH start-stop group tacacs+
aaa accounting commands 15 SSH start-stop group tacacs+
aaa accounting network SSH start-stop group tacacs+
access-list 1 permit X.X.56.0 0.0.0.255
tacacs-server host X.X.X.X key XXXXXXXXXXXXX
tacacs-server timeout 30
tacacs-server directed-request
!
control-plane
!
!
line con 0
session-timeout 10
authorization exec CONSOLE
login authentication CONSOLE
line vty 0 4
session-timeout 10
access-class 1 in
authorization exec SSH
accounting commands 0 SSH
accounting commands 1 SSH
accounting commands 15 SSH
accounting exec SSH
login authentication SSH
transport input ssh
line vty 5 15
session-timeout 10
access-class 1 in
authorization exec SSH
accounting commands 0 SSH
accounting commands 1 SSH
accounting commands 15 SSH
accounting exec SSH
login authentication SSH
transport input ssh
Any help is appreciated.
Thanks!
Jon
Solved! Go to Solution.
05-11-2010 02:52 PM
Hi Jon,
Could you let us know the exact version of the ACS? If it's the ACS 4.1.1.23, then you would have to apply the latest patch of ACS as there is a bug in ACS 4.1.1.23 in which command accounting does not work.
Here is the information about the bug:
TACACS+ Command Accounting does not work in ACS 4.1(1) Build 23.
Symptom:
TACACS+ Command Accounting does not work in ACS 4.1(1) Build 23.
No accounting records are seen in the TACACS+ Administration log.
Conditions:
Command accounting is configured on the NAS. After entering commands on the NAS
no records are seen in the TACACS+ Administration log file. Debugs on the NAS show
the records being sent, and they do arrive at the ACS server, but the appropriate
log file is not updated.
05-12-2010 02:44 AM
Jon,
Looks like you are running 4.1.1.23, In order to get this fixed, you need to either apply patch 5 on current version
i.e 4.1.1.23 or completey upgrade the ACS to lates code.
You may download the patch 5 from the below mentioned link:
NOTE: This is applicable only for ACS windows.
http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-3des
Readme for ACS 4.1.1.23.5 accumulative patch
ACS 4.1.1.23.5 accumulative patch
Regds,
JK
Do rate helpul posts-
05-11-2010 08:33 AM
"default" implies it will apply to any interface for which a specific method has not been defined.
On ACS, the start/stop will go to TACACS+ accounting, and the command accounting will go to TACACS+ administration. Are you not seeing the command accounting on either report?
05-11-2010 08:52 AM
Thanks for the reply! No, i'm not seeing the command logging in either the accounting, or the tacacs administraton reports. Not really sure where to go from here.
Thanks!
Jon
05-11-2010 09:04 AM
On the switch:
debug aaa accounting
debug tacacs
On ACS:
System Configuration -> Service Control and set the log level detail to full, and restart the services
Then, reproduce the problem, capture the debug output, and post it here. Depending on what we see, we might need to look at the ACS logs.
05-11-2010 09:46 AM
05-11-2010 09:57 AM
This looks fine:
3d22h: AAA/ACCT(00000034): Accounting method=tacacs+ (TACACS+)
3d22h: TPLUS: Queuing AAA Accounting request 52 for processing
3d22h: TPLUS: processing accounting request id 52
3d22h: TPLUS: Sending AV task_id=114
3d22h: TPLUS: Sending AV timezone=UTC
3d22h: TPLUS: Sending AV service=shell
3d22h: TPLUS: Sending AV priv-lvl=15
3d22h: TPLUS: Sending AV cmd=write memory
3d22h: TPLUS: Accounting request created for 52(testusr)
3d22h: TPLUS: using previously set server X.X.X.X from group tacacs+
3d22h: TPLUS(00000034)/0/NB_WAIT/36C23C0: Started 30 sec timeout
3d22h: TPLUS(00000034)/0/NB_WAIT: socket event 2
3d22h: TPLUS(00000034)/0/NB_WAIT: wrote entire 115 bytes request
3d22h: TPLUS(00000034)/0/READ: socket event 1
3d22h: TPLUS(00000034)/0/READ: Would block while reading
3d22h: TPLUS(00000034)/0/READ: socket event 1
3d22h: TPLUS(00000034)/0/READ: read entire 12 header bytes (expect 5 bytes data)
3d22h: TPLUS(00000034)/0/READ: socket event 1
3d22h: TPLUS(00000034)/0/READ: read entire 17 bytes response
3d22h: TPLUS(00000034)/0/36C23C0: Processing the reply packet
3d22h: TPLUS: Received accounting response with status PASS
On ACS, look in the log directories for the CSTacacs and CSLog services, and find the entries corresponding to the above.
Incidentally, you may want to make the timestamps on the router be datetime rather than uptime, it makes it esaier to correlate logs.
service timestamp debug datetime localtime msec
service timestamp log datetime localtime msec
05-11-2010 02:52 PM
Hi Jon,
Could you let us know the exact version of the ACS? If it's the ACS 4.1.1.23, then you would have to apply the latest patch of ACS as there is a bug in ACS 4.1.1.23 in which command accounting does not work.
Here is the information about the bug:
TACACS+ Command Accounting does not work in ACS 4.1(1) Build 23.
Symptom:
TACACS+ Command Accounting does not work in ACS 4.1(1) Build 23.
No accounting records are seen in the TACACS+ Administration log.
Conditions:
Command accounting is configured on the NAS. After entering commands on the NAS
no records are seen in the TACACS+ Administration log file. Debugs on the NAS show
the records being sent, and they do arrive at the ACS server, but the appropriate
log file is not updated.
05-12-2010 02:44 AM
Jon,
Looks like you are running 4.1.1.23, In order to get this fixed, you need to either apply patch 5 on current version
i.e 4.1.1.23 or completey upgrade the ACS to lates code.
You may download the patch 5 from the below mentioned link:
NOTE: This is applicable only for ACS windows.
http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-3des
Readme for ACS 4.1.1.23.5 accumulative patch
ACS 4.1.1.23.5 accumulative patch
Regds,
JK
Do rate helpul posts-
12-22-2010 07:56 AM
nothing to download from the url http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-3des
please help as i am facing similar issue
12-23-2010 01:34 AM
Hi Sohail,
You may need to open a TAC case for that.
Regards,
~JG
Do rate helpful posts
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: