topic Re: Problem for see accounting in ACS 4.1 in Network Access Control

Problem for see accounting in ACS 4.1

Alvaro Perez Unzueta — Tue, 26 Mar 2019 00:25:55 GMT

Hello,

I have ACS 4.1 and i've configured aaa in a Router, my problem is that I can't see the accounting in ACS for example i want to know that has done the users for example if an user type show runn, conf ter, shutdown in the interface. actually my aaa configuration is:

How i can see the accounting?? in the acs?? in acs 3.3.3 I can see the accounting, but in this version nothing.

version 12.4

hostname Router_Lab

boot-start-marker

boot-end-marker

enable secret 5 $1$051s$Few6cFXNT6T0TdAZqHkNu.

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default enable

aaa authorization config-commands

aaa authorization exec default group tacacs+ local

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

resource policy

ip subnet-zero

ip cef

username admin password 0 cisco123

interface FastEthernet0/0

ip address 172.20.0.1 255.255.255.0

duplex full

speed 100

snmp-server community adexus123 RW

snmp-server host 172.20.0.100 adexus123

tacacs-server host 172.20.0.11 key cisco123

tacacs-server timeout 3

tacacs-server directed-request

my logs when I put show running-config

Router_Lab#

*Mar 19 18:42:59.599: AAA: parse name=tty2 idb type=-1 tty=-1

*Mar 19 18:42:59.599: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0

*Mar 19 18:42:59.603: AAA/MEMORY: create_user (0x654D1F28) user='adexus' ruser='Router_Lab' ds0=0 port='tty2' rem_addr='172.20.0.100' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)

*Mar 19 18:42:59.607: tty2 AAA/AUTHOR/CMD(3705108292): Port='tty2' list='' service=CMD

*Mar 19 18:42:59.611: AAA/AUTHOR/CMD: tty2(3705108292) user='adexus'

*Mar 19 18:42:59.611: tty2 AAA/AUTHOR/CMD(3705108292): send AV service=shell

*Mar 19 18:42:59.615: tty2 AAA/AUTHOR/CMD(3705108292): send AV cmd=show

*Mar 19 18:42:59.615: tty2 AAA/AUTHOR/CMD(3705108292): send AV cmd-arg=running-config

*Mar 19 18:42:59.619: tty2 AAA/AUTHOR/CMD(3705108292): send AV cmd-arg=<cr>

*Mar 19 18:42:59.619: tty2 AAA/AUTHOR/CMD(3705108292): found list "default"

*Mar 19 18:42:59.623: tty2 AAA/AUTHOR/CMD(3705108292): Method=tacacs+ (tacacs+)

*Mar 19 18:42:59.627: AAA/AUTHOR/TAC+: (3705108292): user=adexus

*Mar 19 18:42:59.627: AAA/AUTHOR/TAC+: (3705108292): send AV service=shell

*Mar 19 18:42:59.627: AAA/AUTHOR/TAC+: (3705108292): send AV cmd=show

*Mar 19 18:42:59.631: AAA/AUTHOR/TAC+: (3705108292): send AV cmd-arg=running-config

*Mar 19 18:42:59.631: AAA/AUTHOR/TAC+: (3705108292): send AV cmd-arg=<cr>

*Mar 19 18:42:59.875: AAA/AUTHOR (3705108292): Post authorization status = PASS_ADD

*Mar 19 18:42:59.875: AAA/MEMORY: free_user (0x654D1F28) user='adexus' ruser='Router_Lab' port='tty2' rem_addr='172.20.0.100' authen_type=ASCII service=NONE priv=15 vrf= (id=0)

Re: Problem for see accounting in ACS 4.1

vikram_anumukonda — Fri, 20 Mar 2009 12:23:01 GMT

Check this link, there is a bug in 4.1

http://supportwiki.cisco.com/ViewWiki/index.php/Cisco_Secure_ACS_server_is_unable_to_register_TACACS%2B_admin_logs

but you should atleast see the accounting records being sent on the router, I wonder why you don't see those in your debugs.

Re: Problem for see accounting in ACS 4.1

Vinay Sharma — Mon, 13 Apr 2009 17:25:00 GMT

Hi,

Thanks for the info. Their is a know bug for command accounting in ACS v4.1 and it is fixed in cumulative patch 5. The patch is available at cisco.com. make sure you take the backup before applying the patch. CSCsg97429 TACACS+ Command Accounting does not work in ACS 4.1(1) Build 23.

Re: Problem for see accounting in ACS 4.1

sachinga.hcl — Tue, 14 Apr 2009 17:55:56 GMT

Hi Vinashar,

This issue occurs due to the presence of Cisco bug ID CSCsg97429.

No accounting records appear in the Terminal Access Controller Access Control System (TACACS+) Administration log file.

The problem starts when command Accounting is configured on the Network Attached Storage (NAS). After commands are entered on the NAS, no records appear in the TACACS+ Administration log file.

Debugs on the NAS show the records are sent, and they do arrive at the ACS, but the appropriate log file fails to update.

With ACS logging set to Full in System Configuration > Service Control, the log file of the CSLog service shows these entries each time a command is entered on the NAS:

12/06/2006 14:22:52 U 5111 2608 Handling message at 0x010A7FF8 (339 bytes)

12/06/2006 14:22:52 A 0000 0960 Logger CSV TACACS+ Accounting: filter denies logging

Resolution For a workaround:

Download and install these patches from Cisco Downloads:

CiscoSecure ACS for Microsoft Windows

Acs_4.1.1.23.5-SW.zip?ACS 4.1.1.23.1 accumulative patch