https://community.cisco.com/t5/network-access-control/device-admin-using-radius-what-about-command-accounting/m-p/3810450#M24902 <P>Hello</P> <P>&nbsp;</P> <P>I was testing the Device Admin using Radius (instead of TACACS+) and I was quite impressed with how well it works. For customers who only have a few devices and don't want to shell out the big bucks for a Device Admin license.&nbsp; And it kind of makes sense for a simple use case where a user just wants to get to priv exec (lvl15) mode - it's what the customer is used to. They can of course make it more complex than this using the Cisco AVPair.</P> <P>&nbsp;</P> <P>My only issue is that I was unable to tell the IOS-XE router (a CSR1000) that I want to log every command that the user entered.&nbsp; This is very easy with TACACS.&nbsp; Anyone does this with Radius?&nbsp;&nbsp; I don't mean command Authorization ... I am specifically talking about logging (or accounting) the commands that have been entered during that session.</P> <P>I have setup Radius Accounting at the start of the session, and also at the end of the Session, to ensure that the ISE Base Licenses are handled correctly.</P> <P>&nbsp;</P> <PRE>[abier@centos ~]$ <STRONG>ssh bob@172.16.1.240</STRONG> Password: CSR1#<STRONG>show run aaa</STRONG> ! <FONT color="#000000">aaa authentication login default group radius-ise local aaa authorization exec default group radius-ise if-authenticated aaa accounting exec default start-stop group radius-ise aaa accounting update newinfo</FONT> ! radius server ise02 address ipv4 192.168.21.101 auth-port 1812 acct-port 1813 key 7 15355B000079252370 ! ! aaa group server radius radius-ise server name ise02 mac-delimiter colon ! aaa new-model </PRE> <P>&nbsp;</P> <P>I decided to place the Policy Rule at the end of the other stuff to avoid confusion - I check for NAS Port Type = Virtual, and NAS Port Id prefix "tty"</P> <P>Some wireshark analysis of the authentication</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="radius.PNG" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/31016iCBFD801B1E2A8578/image-size/large?v=v2&amp;px=999" role="button" title="radius.PNG" alt="radius.PNG" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 27 Feb 2019 00:54:55 GMT Arne Bier 2019-02-27T00:54:55Z https://community.cisco.com/t5/network-access-control/device-admin-using-radius-what-about-command-accounting/m-p/3810450#M24902 <P>Hello</P> <P>&nbsp;</P> <P>I was testing the Device Admin using Radius (instead of TACACS+) and I was quite impressed with how well it works. For customers who only have a few devices and don't want to shell out the big bucks for a Device Admin license.&nbsp; And it kind of makes sense for a simple use case where a user just wants to get to priv exec (lvl15) mode - it's what the customer is used to. They can of course make it more complex than this using the Cisco AVPair.</P> <P>&nbsp;</P> <P>My only issue is that I was unable to tell the IOS-XE router (a CSR1000) that I want to log every command that the user entered.&nbsp; This is very easy with TACACS.&nbsp; Anyone does this with Radius?&nbsp;&nbsp; I don't mean command Authorization ... I am specifically talking about logging (or accounting) the commands that have been entered during that session.</P> <P>I have setup Radius Accounting at the start of the session, and also at the end of the Session, to ensure that the ISE Base Licenses are handled correctly.</P> <P>&nbsp;</P> <PRE>[abier@centos ~]$ <STRONG>ssh bob@172.16.1.240</STRONG> Password: CSR1#<STRONG>show run aaa</STRONG> ! <FONT color="#000000">aaa authentication login default group radius-ise local aaa authorization exec default group radius-ise if-authenticated aaa accounting exec default start-stop group radius-ise aaa accounting update newinfo</FONT> ! radius server ise02 address ipv4 192.168.21.101 auth-port 1812 acct-port 1813 key 7 15355B000079252370 ! ! aaa group server radius radius-ise server name ise02 mac-delimiter colon ! aaa new-model </PRE> <P>&nbsp;</P> <P>I decided to place the Policy Rule at the end of the other stuff to avoid confusion - I check for NAS Port Type = Virtual, and NAS Port Id prefix "tty"</P> <P>Some wireshark analysis of the authentication</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="radius.PNG" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/31016iCBFD801B1E2A8578/image-size/large?v=v2&amp;px=999" role="button" title="radius.PNG" alt="radius.PNG" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 27 Feb 2019 00:54:55 GMT https://community.cisco.com/t5/network-access-control/device-admin-using-radius-what-about-command-accounting/m-p/3810450#M24902 Arne Bier 2019-02-27T00:54:55Z https://community.cisco.com/t5/network-access-control/device-admin-using-radius-what-about-command-accounting/m-p/3810482#M24905 Its not a problem with radius rather its to do with cisco implementation.<BR />The Cisco Systems implementation of RADIUS does not support command<BR />accounting.<BR /><BR /><A href="https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/xe-3s/sec-usr-aaa-xe-3s-book/sec-cfg-accountg.html#GUID-FC92726B-5BA8-44FE-AA0E-B026BE165D62" target="_blank">https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/xe-3s/sec-usr-aaa-xe-3s-book/sec-cfg-accountg.html#GUID-FC92726B-5BA8-44FE-AA0E-B026BE165D62</A><BR /><BR />**** Please remember to rate useful posts<BR /> Wed, 27 Feb 2019 03:11:09 GMT https://community.cisco.com/t5/network-access-control/device-admin-using-radius-what-about-command-accounting/m-p/3810482#M24905 Mohammed al Baqari 2019-02-27T03:11:09Z