https://community.cisco.com/t5/network-access-control/unable-to-configure-vty-accounting-during-initial-setup/m-p/4027623#M557015 <P>We do most device builds by template here. We recently have been rolling out tacacs and when following our template build, we get an error in the accounting lines in the vty config. Please see below:</P><P>&nbsp;</P><P><STRONG><U>aaa config from template:</U></STRONG></P><P>aaa new-model<BR />aaa authentication login default local-case<BR />aaa authentication login AAA-tacacs group CN-tacacs local-case<BR />aaa authentication login CONSOLE local-case<BR />aaa authentication enable default group CN-tacacs enable<BR />aaa authentication dot1x default group CN-radius<BR />aaa authorization console<BR />aaa authorization exec CONSOLE local<BR />aaa authorization exec AAA-tacacs group CN-tacacs local if-authenticated<BR />aaa authorization commands 1 default group CN-tacacs local if-authenticated<BR />aaa authorization commands 15 default group CN-tacacs local if-authenticated<BR />aaa accounting exec AAA-tacacs start-stop group CN-tacacs<BR />aaa accounting commands 1 AAA-tacacs start-stop group CN-tacacs<BR />aaa accounting commands 15 AAA-tacacs start-stop group CN-tacacs<BR />aaa accounting connection AAA-tacacs start-stop group CN-tacacs<BR />aaa session-id common</P><P>&nbsp;</P><P><U><STRONG>vty config from template:</STRONG></U></P><P>line con 0<BR />authorization exec CONSOLE<BR />logging synchronous<BR />login authentication CONSOLE<BR />stopbits 1<BR />session-timeout 5<BR />line vty 0 15<BR />access-class 1 in<BR />exec-timeout 15 0<BR />authorization exec AAA-tacacs<BR />accounting commands 1 AAA-tacacs<BR />accounting commands 15 AAA-tacacs<BR />accounting exec AAA-tacacs<BR />login authentication AAA-tacacs<BR />ipv6 access-class v6-VTY_ACCESS in<BR />transport input ssh<BR />transport output ssh</P><P>&nbsp;</P><P>What happens, though, is when applying the vty config after the aaa, we get these error messages:</P><P>Switch(config-line)#accounting commands 1 AAA-tacacs<BR />AAA: Warning accounting list "AAA-tacacs" is not defined for CMD priv 1</P><P>Switch(config-line)#accounting commands 15 AAA-tacacs<BR />AAA: Warning accounting list "AAA-tacacs" is not defined for CMD priv 15</P><P>&nbsp;</P><P>...and the accounting lines are absent from the config when I do a show run | s aaa</P><P>&nbsp;</P><P>This will work if you apply the aaa/vty config later, once the switch is deployed, but always fails during the initial build in the lab.&nbsp;</P><P>&nbsp;</P><P>Note: almost all lab builds are done offline on a bench and not connected to any network services.&nbsp;</P><P>&nbsp;</P><P>Any suggestions or ideas?</P><P>&nbsp;</P><P>&nbsp;</P><P>Thank you!</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 21 Feb 2020 19:13:42 GMT Don Maker 2020-02-21T19:13:42Z https://community.cisco.com/t5/network-access-control/unable-to-configure-vty-accounting-during-initial-setup/m-p/4027623#M557015 <P>We do most device builds by template here. We recently have been rolling out tacacs and when following our template build, we get an error in the accounting lines in the vty config. Please see below:</P><P>&nbsp;</P><P><STRONG><U>aaa config from template:</U></STRONG></P><P>aaa new-model<BR />aaa authentication login default local-case<BR />aaa authentication login AAA-tacacs group CN-tacacs local-case<BR />aaa authentication login CONSOLE local-case<BR />aaa authentication enable default group CN-tacacs enable<BR />aaa authentication dot1x default group CN-radius<BR />aaa authorization console<BR />aaa authorization exec CONSOLE local<BR />aaa authorization exec AAA-tacacs group CN-tacacs local if-authenticated<BR />aaa authorization commands 1 default group CN-tacacs local if-authenticated<BR />aaa authorization commands 15 default group CN-tacacs local if-authenticated<BR />aaa accounting exec AAA-tacacs start-stop group CN-tacacs<BR />aaa accounting commands 1 AAA-tacacs start-stop group CN-tacacs<BR />aaa accounting commands 15 AAA-tacacs start-stop group CN-tacacs<BR />aaa accounting connection AAA-tacacs start-stop group CN-tacacs<BR />aaa session-id common</P><P>&nbsp;</P><P><U><STRONG>vty config from template:</STRONG></U></P><P>line con 0<BR />authorization exec CONSOLE<BR />logging synchronous<BR />login authentication CONSOLE<BR />stopbits 1<BR />session-timeout 5<BR />line vty 0 15<BR />access-class 1 in<BR />exec-timeout 15 0<BR />authorization exec AAA-tacacs<BR />accounting commands 1 AAA-tacacs<BR />accounting commands 15 AAA-tacacs<BR />accounting exec AAA-tacacs<BR />login authentication AAA-tacacs<BR />ipv6 access-class v6-VTY_ACCESS in<BR />transport input ssh<BR />transport output ssh</P><P>&nbsp;</P><P>What happens, though, is when applying the vty config after the aaa, we get these error messages:</P><P>Switch(config-line)#accounting commands 1 AAA-tacacs<BR />AAA: Warning accounting list "AAA-tacacs" is not defined for CMD priv 1</P><P>Switch(config-line)#accounting commands 15 AAA-tacacs<BR />AAA: Warning accounting list "AAA-tacacs" is not defined for CMD priv 15</P><P>&nbsp;</P><P>...and the accounting lines are absent from the config when I do a show run | s aaa</P><P>&nbsp;</P><P>This will work if you apply the aaa/vty config later, once the switch is deployed, but always fails during the initial build in the lab.&nbsp;</P><P>&nbsp;</P><P>Note: almost all lab builds are done offline on a bench and not connected to any network services.&nbsp;</P><P>&nbsp;</P><P>Any suggestions or ideas?</P><P>&nbsp;</P><P>&nbsp;</P><P>Thank you!</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 21 Feb 2020 19:13:42 GMT https://community.cisco.com/t5/network-access-control/unable-to-configure-vty-accounting-during-initial-setup/m-p/4027623#M557015 Don Maker 2020-02-21T19:13:42Z https://community.cisco.com/t5/network-access-control/unable-to-configure-vty-accounting-during-initial-setup/m-p/4027709#M557016 <P>Figured it out. Need to define the servers right after the aaa-new model..then the rest of it works as intended.</P> Tue, 11 Feb 2020 17:28:36 GMT https://community.cisco.com/t5/network-access-control/unable-to-configure-vty-accounting-during-initial-setup/m-p/4027709#M557016 Don Maker 2020-02-11T17:28:36Z