Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

TACACs server and configuration changes

folks

we have a tacacs server used for authentication purposes but i would also like it to record any config changes made to our kit

is there a command set for this?

thanks to anyone taking the time and effort to reply

4 REPLIES
Silver

Re: TACACs server and configuration changes

not sure if you can record config changes from the tacacs server, check out the following link for basic tacacs configuration :

http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example09186a0080093c7c.shtml

Hall of Fame Super Silver

Re: TACACs server and configuration changes

TACACS is a AAA server (Authentication, Authorization, and Accounting) - i.e., loosely the "A" in the FCAPS network management model (Fault, Configuration, Accounting, Performance and Security - see http://www.iec.org/online/tutorials/ems/topic03.html for more).

What you seem to be asking for is Configuration Management - the "C". Cisco's product that targets that capability is the RME component of CiscoWorks LAN Management Solution (LMS).

If all you want is configuration diff detection and archiving, take a look at the open source RANCID tool. See http://www.shrubbery.net/rancid/ for an overview and download or http://www.networkcomputing.com/showArticle.jhtml?articleID=165701527 for a review.

New Member

Re: TACACs server and configuration changes

many thanks for your replies folks

greatly appreciated

Hall of Fame Super Silver

Re: TACACs server and configuration changes

Michael

I believe that I understand your question a bit differently than the previous responses. If I am correct you are asking about the ability to record and report through TACACS about config changes that are made on the routers and switches in your network that currently use the TACACS server for authentication.

If your TACACS server is the Cisco ACS server then you can accomplish what you are asking using the accounting part of aaa. On the routers and switches configure accounting for commands. The syntax on routers is:

aaa accounting commands 15 default start-stop group tacacs+

The syntax on catalyst switches for config commands is:

set accounting commands enable config stop-only tacacs+

If you want to see all privilege level commands use:

set accounting commands enable enable stop-only tacacs+

If you configure this the router or switch will send records to TACACS which will record config changes. We do this routinely on routers and switches at a customer site and it works well for us.

HTH

Rick

372
Views
0
Helpful
4
Replies
CreatePlease login to create content