topic Re: TACACS+ Server not logging events. in Network Access Control

TACACS+ Server not logging events.

nos — Sun, 10 Mar 2019 21:02:57 GMT

Hi all,

I am having an issue with the tacacs+ server not logging login requests or commands entered. I am running the tac_plus.F4.0.4.alpha release that cisco provides for free on a mandrake 10.1 linux box. I am able to use the server to authenticate logins to the routers but it is not logging those requests.

Here is the config I used on one of our routers.

aaa group server tacacs+ prego

server xxx.xxx.xxx.xxx

aaa authentication login default group tacacs+ enable

aaa authentication enable default group tacacs+ enable

aaa accounting exec default start-stop group prego

aaa accounting commands 15 default start-stop group tacacs+

aaa session-id common

ip subnet-zero

Also here is a sh verion

Cisco Internetwork Operating System Software

IOS (tm) 3700 Software (C3725-IS-M), Version 12.2(15)ZJ3, EARLY DEPLOYMENT RELEASE SOFTWARE (fc2)

TAC Support: http://www.cisco.com/tac

Compiled Thu 25-Sep-03 22:23 by eaarmas

Image text-base: 0x60008954, data-base: 0x61C2C000

ROM: System Bootstrap, Version 12.2(8r)T2, RELEASE SOFTWARE (fc1)

ROM: 3700 Software (C3725-I-M), Version 12.2(8)T10, RELEASE SOFTWARE (fc1)

PRVGW3725 uptime is 10 weeks, 1 day, 7 hours, 35 minutes

System returned to ROM by power-on

System image file is "flash:c3725-is-mz.122-15.ZJ3.bin"

cisco 3725 (R7000) processor (revision 0.1) with 121856K/9216K bytes of memory.

Processor board ID JMX0749L1XC

R7000 CPU at 240Mhz, Implementation 39, Rev 3.3, 256KB L2 Cache

Bridging software.

X.25 software, Version 3.0.0.

2 FastEthernet/IEEE 802.3 interface(s)

2 Serial network interface(s)

DRAM configuration is 64 bits wide with parity disabled.

55K bytes of non-volatile configuration memory.

31360K bytes of ATA System CompactFlash (Read/Write)

Configuration register is 0x2102

Any help would be great.

Thank you

Joseph Jackson

Re: TACACS+ Server not logging events.

dbshah2000 — Thu, 10 Mar 2005 05:07:29 GMT

you need to enable aaa authorisation on the router ( ios ) device

for e.g you want to log level 15 cmds then it would be like this

aaa authorisation commands level 15 default group tacacs+ if-authenticated

explore the Cisco IOS aaa authorisation cmds a little more & you will know what to do

Re: TACACS+ Server not logging events.

Richard Burts — Thu, 10 Mar 2005 14:45:02 GMT

I do not configure my routers with aaa authorization commands level 15 and my routers are reporting (accounting) level 15 commands just fine. So I disagree that this is required to get the results that he wants.

I notice in the original config that the accounting exec uses group prego while the authentication uses group tacacs+. I am not sure if there is an issue with the group prego but I would suggest changing the config for accounting to use group tacacs+ and see what happens.

HTH

Rick

Re: TACACS+ Server not logging events.

nos — Thu, 10 Mar 2005 17:02:29 GMT

Thank you both for replying to my post. I have entered what you both said but still no luck. Here is the updated config file showing the aaa stuff

aaa authentication login default group tacacs+ enable

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa session-id common

ip subnet-zero

If you guys can think of anything else I'll give it a try.

Re: TACACS+ Server not logging events.

Richard Burts — Thu, 10 Mar 2005 17:59:42 GMT

If you are able to authenticate via TACACS I would believe that this indicates that there is not a problem with your configuration of the TACACS server(s) (addresses are correct, keys are correct, etc) and that the TACACS server recognizes the router ok.

So I assume that either there is some problem on the router generating the accounting records. Or that there might be a problem on the server and receiving and processing the accounting records.

As a next step in investigating this issue I suggest that you run two debugs on the router:

debug aaa accounting

debug tacacs accounting

While the debug is running have someone access the router and login, access privilege mode, and execute several commands. Then post any debug output.

HTH

Rick

Re: TACACS+ Server not logging events.

nos — Thu, 10 Mar 2005 18:59:58 GMT

Rick,

I did both of those commands and then logged into the router from another crt term and did not see any debug msgs.

Re: TACACS+ Server not logging events.

Richard Burts — Thu, 10 Mar 2005 21:24:14 GMT

How are you looking for the debug messages? (are you logging to logging buffered debug and then using the show log command, or are you logged on somewhere with terminal monitor enabled while the testing activity takes place?)

Please do the test again and this time add another debug: debug tacacs authentication

That should generate some debug output. If we see the authentication output but no accounting output then there is a problem that the router is not generating accounting. If the authentication does not produce output then we have to look more carefully at where the output is going and how to find it.

HTH

Rick