ACS 3.0 logging detection

ROBERT TOGONON — Fri, 21 Feb 2020 18:02:49 GMT

Does ACS 3.0 has a logging that detects any changes done on the switches or routers? Can someone point me a right direction? I noticed it only logged who is login and on what time. Thank you in advance.

Re: ACS 3.0 logging detection

albadger — Mon, 12 Aug 2002 23:49:07 GMT

ACS 3.0 will log all accounting packets, depending on what the NAS is capable of sending. If you need to log commands that are processed on the NAS, you will need to utilise command authorization.

Command Authorization works only with Tacacs and will query the ACS server every time someone enters a command to ensure they are allowed to run the command. Accounting can then be done when the requests are approved by the ACS server.

Re: ACS 3.0 logging detection

ROBERT TOGONON — Tue, 13 Aug 2002 15:22:29 GMT

Thanks, Alison. Do you happen to know the links of documentation for basic command authorization for me to look at?

Re: ACS 3.0 logging detection

albadger — Tue, 13 Aug 2002 22:21:35 GMT

There are two choices in as far as the ACS 3.0 configuration is concerned - you can either implement shared profile components or you can simply add the command authorization straight to the group settings.

Shared Profile Components (for Command Authorization Sets): http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/csnt30/user/c.htm#xtocid1001113

Configuring a Shell Command Authorization Set for a User Group: http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/csnt30/user/g.htm#xtocid1197921

As for a NAS sample config, there is not one currently on the Cisco website, however the following is one that I had working in the lab:

manning#wr t

Building configuration...

Current configuration : 1251 bytes

version 12.1

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

hostname manning

aaa new-model

aaa authentication login default group tacacs+

aaa authentication login console none

aaa authorization config-commands

aaa authorization exec default group tacacs+

aaa authorization exec console none

aaa authorization commands 15 default group tacacs+

aaa authorization commands 15 console none

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

enable secret 5 $1$KdQu$nA9WcTUL295k9jp7jpVsK.

--More--

2w6d: %SYS-5-CONFIG_I: Configured from console ! e

ip subnet-zero

ip audit notify log

ip audit po max-events 100

interface FastEthernet0/0

ip address 10.64.21.251 255.255.255.240

duplex auto

speed auto

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

ip classless

ip route 0.0.0.0 0.0.0.0 10.64.21.241

ip http server

tacacs-server host 10.64.21.242 key cisco123

line con 0

exec-timeout 0 0

authorization commands 15 console

authorization exec console

line aux 0

line vty 0 4

authorization exec test

no scheduler allocate

end

topic ACS 3.0 logging detection in Network Access Control

ACS 3.0 logging detection

Re: ACS 3.0 logging detection

Re: ACS 3.0 logging detection

Re: ACS 3.0 logging detection