Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

activity user log

HI!

I need to know if there is a way when a user logs in a router or a switch and make a change that change must be logged in some way and all configuration changes must be seen somewhere. I know i can see in the show log that a user changed the configuration but i don't know what he did? i also managed to achieve to log when a configuration changed done by this command

service timestamps log datetime msec localtime show-timezone

but this only says who user changed something.

3 REPLIES

Re: activity user log

Hi,

You may need to enable aaa feature in your routers or switches. But you have to have Cisco ACS server to capture all those commands which is viewable in the report page.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=AAA&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddc31e6

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7a7.html

Pls rate all helpful post.

Rgds,

AK

New Member

Re: activity user log

With the use of RADIUS server isn't possible to audit user actions? only with the use of the ACS server program?

Because we have already purchased the radius server for aaa accounting and aaa authorization

Re: activity user log

If you want to authenticate, audit and authorize what commands a user/admin user can or allowed to execute, use TACACS instead of RADIUS.

RADIUS cannot do detail audit, it's limited to the info when the session started, ended, time and so on. No details on commands.

One of the obvious difference between RADIUS and TACACS is, RADIUS is used to authenticate incoming access from the client/normal user via whatever devices, e.g VPN server or remote access server. This service allows users/clients to access services behind the VPN server device (passing through). It is just merely to authenticate and validate users, not to verify/check what commands has been executed.

TACACS (or TACACS+), is a management protocol for a device, e.g cisco routers and switches, to authenticate, audit and authorize what command an admin user can or allowed to execute when doing configuration or administration tasks on the devices. So, if your intention is to do full AAA, then use TACACS+ instead of RADIUS.

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml

Pls rate all useful post(s).

Rgds,

AK

182
Views
5
Helpful
3
Replies
CreatePlease to create content