topic Re: Juniper devices and allot no logs for tacacs command accounting in Network Access Control

Juniper devices and allot no logs for tacacs command accounting

drbadar1126 — Fri, 29 Nov 2024 05:23:53 GMT

I enrolled juniper devices and allot in Cisco ISE, but i notice there is no logs for tacacs command accounting. but all of our cisco devices showing logs history of commands inputted. please help

Re: Juniper devices and allot no logs for tacacs command accounting

Arne Bier — Fri, 29 Nov 2024 06:38:38 GMT

There is nothing required on the ISE side to record/log TACACS+ command accounting. The NAD devices are responsible for sending those accounting requests to the TACACS+ server.

I don't know anything about Juniper commands, but in the IOS world there are generally at least two commands required. Accounting for the exec level

aaa accounting exec default start-stop group dnac-network-access-group

TACACS+ Accounting must be enabled for every Priv Level for which command accounting is required - e.g. for priv 15

aaa accounting commands 15 default start-stop group dnac-network-access-group

But if I recall, simple commands like "show version" are not run level 15. I think you have to include priv 1 as well. Therefore I tend to do this:

aaa accounting commands 0 default start-stop group dnac-network-tacacs-group aaa accounting commands 1 default start-stop group dnac-network-tacacs-group aaa accounting commands 15 default start-stop group dnac-network-tacacs-group

Your question is possibly more aimed at a Juniper forum - but see what you can configure on the box and perhaps it's vaguely similar

Re: Juniper devices and allot no logs for tacacs command accounting

drbadar1126 — Fri, 29 Nov 2024 06:45:53 GMT

thank you for your kind reply. is device profile configuration in ISE will provide also the solution? please see https://community.cisco.com/t5/security-knowledge-base/ise-third-party-nad-profiles-and-configs/ta-p/3648719

Re: Juniper devices and allot no logs for tacacs command accounting

Arne Bier — Fri, 29 Nov 2024 07:04:35 GMT

ISE Network Device Profiles are there to normalise the RADIUS requirements in multi-vendor products - e.g. you tell ISE in which format a Juniper switch would make a MAB request, or how to send a CoA to a Juniper device. It does not apply to TACACS+. TACACS+ is mostly very well supported and documented for Cisco devices (since it's a Cisco protocol) - but other vendors do implement TACACS+, but not sure whether they always support the same features - e.g. per command accounting. If they send the correctly formatted TACACS+ requests to ISE, then ISE should interpret and log those requests.

You have to explore the Juniper TACACS+ commands to see what's possible.

If you have Juniper devices in your ISE, then you could also use a Cisco Network Device Profile. But usually, it's nicer for readability/documentation if you made a Juniper profile (tick TACACS+ box) and then apply that to your Juniper Network Devices in ISE.

RADIUS is a lot more complex, and you can adapt the 3rd party vendor products to work in harmony with ISE Normalised configs. And with RADIUS you must/should always tag your RADIUS Authorization Profiles with that same Device Profile (e.g. Juniper). With TACACS+, there is no requirement/possibility to do this.

Re: Juniper devices and allot no logs for tacacs command accounting

MHM Cisco World — Fri, 29 Nov 2024 07:04:42 GMT

there are two
TACACS have two parts for device admin
1- TACACS commend sets <<- here is issue from what you see in cisco and juniper
2- TACACS profile <<- this will allow user to auth and give it privilege

Re: Juniper devices and allot no logs for tacacs command accounting

Arne Bier — Fri, 29 Nov 2024 07:10:09 GMT

@MHM Cisco World - the guy is asking about TACACS+ command accounting. You don't configure that in ISE or in any TACACS+ server. Clients make Accounting requests to the server ... it's the same for any vendor (Cisco, Juniper, etc.) - Accounting is configured on the NAD. And as long as the vendor has implement TACACS protocol correctly, ISE will log and allow reporting etc.

Re: Juniper devices and allot no logs for tacacs command accounting

drbadar1126 — Fri, 29 Nov 2024 07:12:25 GMT

thank you, i checked my configuration and found out there is no accounting command in juniper device. i will try to add and i will give an update

Re: Juniper devices and allot no logs for tacacs command accounting

drbadar1126 — Fri, 29 Nov 2024 07:13:37 GMT

thank you, i will check the video for my reference,

Re: Juniper devices and allot no logs for tacacs command accounting

drbadar1126 — Sat, 30 Nov 2024 04:15:33 GMT

FYI and update, after adding

set system accounting events login

set system accounting events change-log

set system accounting events interactive-commands

set system accounting events configuration

set system accounting destination tacplus

Juniper commands is now logging in commands accounting