Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Logging on switch

I want to log all commands entered on a switch, however I can't seem to find a command to do that. Is this possible? Or am I stuck with the generic "configured from console by USERID" messages as the most detail I can get?

6 REPLIES
Blue

Re: Logging on switch

Look into AAA solutions such as Cisco Secure ACS:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/index.html

New Member

Re: Logging on switch

I am using ACS, however I am not sure how I would set that up to log commands.

I have tried to add this:

aaa accounting commands 15 default start-stop group tacacs+

but that does not seem to work.

Any thoughts?

Blue

Re: Logging on switch

By "that does not seem to work" you mean you can't "go to the Reports part of ACS. Pull up the TACACS+ Administration report. (TACACS+ Accounting tracks changes you made to ACS itself). ... Note that you can clearly see who issued each command, when they did it, and what the command was"?

Does your AAA config look similar to this?

aaa new-model

aaa authentication login default group tacacs+ line enable

aaa authentication enable default group tacacs+ enable line

aaa authorization exec default if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated none

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

!

ip tacacs source-interface Loopback0

!

tacacs-server host 10.20.1.20 key pleasetrustme

tacacs-server directed-request

New Member

Re: Logging on switch

By does not seem to work - yes, I go into the ACS under Reports - in TACACS+ Administration, there is nothing. In TACACS+ Accounting, there is info, but nothing relating to commands issued.

I have verified that the there is a check in the system control for logging.

I have this for AAA config:

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization console

aaa authorization exec default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

tacacs-server host 1.2.3.4 key the_key

tacacs-server host 1.2.3.5 key the_key

tacacs-server directed-request

radius-server source-ports 1645-1646

I am obviously missing something... thanks for your input!

Blue

Re: Logging on switch

The documentation makes me suspect "aaa authorization commands 1 default group tacacs+ if-authenticated none" is a pre-requisite for "aaa accounting commands 15 default start-stop group tacacs+" to start logging commands issued. In other words, commands Authorization has to be set up (on both the router and ACS) before commands Accounting takes place, as far as Cisco Secure ACS is concerned. So you'd need to configure/authorize on the ACS what commands that particular user can execute.

New Member

Re: Logging on switch

Apparently, I needed a patch (applACS-4.1.1.23.5.zip) for my ACS server for this to work. Once I applied that, the TACACS+ Administration report populated.

259
Views
0
Helpful
6
Replies