https://community.cisco.com/t5/network-access-control/question-about-usage-of-aaa-accounting-commands/m-p/678907#M421461 <HTML><HEAD></HEAD><BODY><P>Hi all,</P><P></P><P>Thank you very much for your reply.</P><P>I understand it !</P><P></P><P>Best regards,</P></BODY></HTML> Fri, 02 Mar 2007 00:36:13 GMT snakayama 2007-03-02T00:36:13Z https://community.cisco.com/t5/network-access-control/question-about-usage-of-aaa-accounting-commands/m-p/678904#M421455 <P>Hi everyone,</P><P></P><P>I have the problem that Cisco routers and switches do not send some accounting command</P><P>information to ACS.</P><P>Accounting commands do not send to ACS are "show log" and "show version".</P><P>Accounting commands send to ACS are "show runn", "conf t" and "debug"</P><P></P><P>The configuration of routers and switches is the following</P><P></P><P>----------</P><P>aaa new-model</P><P></P><P>aaa authentication login default group tacacs+ line</P><P>aaa authorization commands 15 default group tacacs+ none</P><P>aaa accounting exec default start-stop group tacacs+</P><P>aaa accounting commands 15 default start-stop group tacacs+</P><P>tacacs-server host xxx.xxx.xxx.xxx key yyyy</P><P>----------</P><P></P><P>I think the commands do not send to ACS are privilege level 1 command and the commands </P><P>send to ACS are privilege level 15 command.</P><P>So I need to additional aaa accounting command below to get routers and switches send level 1 </P><P>command to ACS, because the "15" of "aaa accounting commands 15" does not include level 1</P><P>so need to configure "aaa accounting commands 1" for level 1 commands.</P><P></P><P>aaa accounting commands 1 default start-stop group tacacs+</P><P></P><P>Is my understanding correct ?</P><P></P><P></P><P>Your information would be greatly appreciated.</P><P></P><P>Best regards,</P><P></P> Sun, 10 Mar 2019 22:01:06 GMT https://community.cisco.com/t5/network-access-control/question-about-usage-of-aaa-accounting-commands/m-p/678904#M421455 snakayama 2019-03-10T22:01:06Z https://community.cisco.com/t5/network-access-control/question-about-usage-of-aaa-accounting-commands/m-p/678905#M421457 <HTML><HEAD></HEAD><BODY><P>Hi, </P><P>plese do this and the router will send </P><P>everything to the ACS server, except </P><P>whatever you are doing to the router in http:</P><P></P><P>aaa new-model</P><P>aaa authentication login notac none</P><P>aaa authentication login VTY group tacacs+ local</P><P>aaa authentication enable default group tacacs+ enable</P><P>aaa authorization console</P><P>aaa authorization config-commands</P><P>aaa authorization exec notac none</P><P>aaa authorization exec VTY group tacacs+ if-authenticated none</P><P>aaa authorization commands 0 VTY group tacacs+ if-authenticated none</P><P>aaa authorization commands 1 VTY group tacacs+ if-authenticated none</P><P>aaa authorization commands 15 VTY group tacacs+ if-authenticated none</P><P>aaa authorization network VTY group tacacs+ if-authenticated none</P><P>aaa accounting exec VTY start-stop group tacacs+</P><P>aaa accounting commands 0 VTY start-stop group tacacs+</P><P>aaa accounting commands 1 VTY start-stop group tacacs+</P><P>aaa accounting commands 15 VTY start-stop group tacacs+</P><P>aaa accounting network VTY start-stop group tacacs+</P><P>aaa accounting connection VTY start-stop group tacacs+</P><P>aaa session-id common</P><P>ip http authentication aaa login-authentication VTY</P><P>ip http authentication aaa exec-authorization VTY</P><P></P><P>tacacs-server host 192.168.15.10 key 7 1446405858517C</P><P>tacacs-server directed-request</P><P></P><P>line con 0</P><P> exec-timeout 0 0</P><P> authorization exec notac</P><P> accounting commands 0 VTY</P><P> accounting commands 1 VTY</P><P> accounting commands 15 VTY</P><P> accounting exec VTY</P><P> logging synchronous</P><P> login authentication notac</P><P>line aux 0</P><P> session-timeout 35791</P><P> exec-timeout 35791 23</P><P> authorization exec notac</P><P> accounting commands 0 VTY</P><P> accounting commands 1 VTY</P><P> accounting commands 15 VTY</P><P> accounting exec VTY</P><P> login authentication notac</P><P> transport input all</P><P>line vty 0</P><P> exec-timeout 0 0</P><P> authorization commands 0 VTY</P><P> authorization commands 1 VTY</P><P> authorization commands 15 VTY</P><P> authorization exec VTY</P><P> accounting commands 0 VTY</P><P> accounting commands 1 VTY</P><P> accounting commands 15 VTY</P><P> accounting exec VTY</P><P> login authentication VTY</P><P></P><P>David </P><P>CCIE Security</P><P></P></BODY></HTML> Thu, 01 Mar 2007 11:51:35 GMT https://community.cisco.com/t5/network-access-control/question-about-usage-of-aaa-accounting-commands/m-p/678905#M421457 daviddtran 2007-03-01T11:51:35Z https://community.cisco.com/t5/network-access-control/question-about-usage-of-aaa-accounting-commands/m-p/678906#M421459 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>What you mentioned is correct.</P><P></P><P>Since you did not have level 1 command accounting enabled "show log" etc did not get sent to the ACS.</P><P></P><P>Adding level 1 accounting would solve the problem.</P><P></P><P>Regards,</P><P>Vivek</P></BODY></HTML> Thu, 01 Mar 2007 13:57:57 GMT https://community.cisco.com/t5/network-access-control/question-about-usage-of-aaa-accounting-commands/m-p/678906#M421459 Vivek Santuka 2007-03-01T13:57:57Z https://community.cisco.com/t5/network-access-control/question-about-usage-of-aaa-accounting-commands/m-p/678907#M421461 <HTML><HEAD></HEAD><BODY><P>Hi all,</P><P></P><P>Thank you very much for your reply.</P><P>I understand it !</P><P></P><P>Best regards,</P></BODY></HTML> Fri, 02 Mar 2007 00:36:13 GMT https://community.cisco.com/t5/network-access-control/question-about-usage-of-aaa-accounting-commands/m-p/678907#M421461 snakayama 2007-03-02T00:36:13Z