cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
545
Views
0
Helpful
7
Replies

Accounting on tacacs

Mohamed Sobair
Level 7
Level 7

Hi all,

I have enabled tacacs-server on cisco router and accounting is configured, but we noticed configuration done on interface mode is not logged.

The configuration on cisco is attached, let me know your feedback.

regards,

Mohamed

7 Replies 7

mahmoodmkl
Level 7
Level 7

Hi

I think the command should be like this.

aaa accounting commands 15 default start-stop group tacacs+

Thanks

Mahmood

Hi Mahmood,

I have done it but still its not recording commands issued at the interface level..

commands issued at config/privilege modes are being recorded perfectly..

Any suggestions will be appreciated.

Regards,

Mohamed

Hi All,

Any one have idea to come out through this issue, it would be appreciated.

Best Regards,

Friend,

You need to look at the "Tacacs administration" link on the Cisco acs server for acoounting logs. I do nto know for what reason it does not show in the accounting logs

here is the configuration i used and able to see all the configuration changes under the tacacs administration page

!

aaa new-model

aaa authentication login ABCD group tacacs+ local

aaa authorization exec ABCD group tacacs+ local

aaa authorization console

aaa authorization config-commands

aaa authorization configuration ABCD group tacacs+ local

aaa authorization commands 10 ABCD group tacacs+ loca

aaa authorization commands 15 ABCD group tacacs+ local

aaa accounting exec ABCD start-stop group tacacs+

aaa accounting commands 1 ABCD start-stop group tacacs+

aaa accounting commands 15 ABCD start-stop group tacacs+

!

!

tacacs-server host 172.16.100.19 key XXXXX

!

line vty 0 15

exec-timeout 5 0

privilege level 15

authorization commands 15 ABCD

authorization commands 1 ABCD

authorization exec ABCD

accounting connection ABCD

accounting commands 1 ABCD

accounting commands 15 ABCD

accounting exec ABCD

login authentication ABCD

HTH,rate if it does

Narayan

Hi Narayan,

When you applied the same config, Are you able to see accounting logs for interface level?

Now its being able to record all config done at privilige/config modes but only can't log changes dont at interface level!!

Please confirm the above,

I would also like to add that I am configuring a (default) key word instead of ABCD , This shouldnt affect any thing am I right?

Awaiting your feedback.

Best Regads,

Yes my friend,

I am able to see all the logs under the interface level as well (attached reference logs)

The fact that you use a default group(not key) whereas i use ABCD should not matter.

Try configuring one device according to what i posted and let me know.

HTH, rate if it does

Narayan

Mohamed

While there are some details of your config that might need clarification or improvement (for example your commands specify group TS but I do not see any definition of a group TS), if you say that some level 15 commands are being logged properly then I assume that the details of the config must be working ok.

I am puzzled about why interface commands are not being written to the accounting records. Your configuration of:

aaa accounting commands 15 default stop-only group TS

is similar to the way that I configure routers. I generally use start-stop where you are using stop-only. I would not expect this to cause the issue that you are seeing but it would be worth trying to see if it is any different if you specify start-stop instead of stop-only.

If that does not make any difference then I wonder if you are encountering a bug in the version of code that you are running. Can you give us the specifics of the code version that you are running? When I configure accounting for level 15 commands I see interface commands in the accounting records, so in general I believe that it works. So it might be worth trying a newer version of code and seeing if the behavior changes.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco