Re: ACNS and TACACS+ Command Accounting

rlourenco · ‎06-24-2005

I trying to do AAA accounting for commands using a Content Engine CE-560 (ACNS 5.2.3 build b9) and Cisco Secure ACS (v3.1(1)build 27).

I have de following configuration:

tacacs key <encrypted>

tacacs host 10.20.250.200

tacacs host 10.10.250.200 primary

!

authentication login local enable secondary

authentication login tacacs enable primary

authentication configuration local enable secondary

authentication configuration tacacs enable primary

authentication fail-over server-unreachable

!

aaa accounting exec default start-stop tacacs

aaa accounting commands 0 default stop-only tacacs

aaa accounting commands 15 default start-stop tacacs

aaa accounting system default start-stop tacacs

!

debugging aaa accounting activity on the CE I can see the accounting information being sent to the tacacs server:

Bja-ce1(config)#telnet enable

Jun 23 17:59:24 Bja-ce1 config: ***pam_tac _pam_account: [START] called (pam_tacplus v1.2.9)

Jun 23 17:59:24 Bja-ce1 config: ***pam_tac _pam_account: tac_srv_no=2

Jun 23 17:59:24 Bja-ce1 config: ***pam_tac _pam_account: username [rnbce] obtained

Jun 23 17:59:24 Bja-ce1 config: ***pam_tac _pam_account: tty [pts/0] obtained

Jun 23 17:59:24 Bja-ce1 config: ***pam_tac _pam_account: remote host address [0.0.0.0] obtained

Jun 23 17:59:24 Bja-ce1 config: ***pam_tac _pam_account: Service [shell]

Jun 23 17:59:24 Bja-ce1 config: ***pam_tac _pam_account: CmdLime [priv-lvl=15 cmd=telnet enable ]

Jun 23 17:59:24 Bja-ce1 config: ***pam_tac _pam_account: TaskID [5267]

Jun 23 17:59:24 Bja-ce1 config: ***pam_tac _pam_account: send packet to all servers

Jun 23 17:59:24 Bja-ce1 config: ***pam_tac _pam_account: connected with fd=9 (srv 0)

Jun 23 17:59:25 Bja-ce1 config: ***pam_tac _pam_account: [START] for [rnbce] sent successfully

Jun 23 17:59:25 Bja-ce1 config: ***pam_tac _pam_account: [STOP] called (pam_tacplus v1.2.9)

Jun 23 17:59:25 Bja-ce1 config: ***pam_tac _pam_account: tac_srv_no=2

Jun 23 17:59:25 Bja-ce1 config: ***pam_tac _pam_account: username [rnbce] obtained

Jun 23 17:59:25 Bja-ce1 config: ***pam_tac _pam_account: tty [pts/0] obtained

Jun 23 17:59:25 Bja-ce1 config: ***pam_tac _pam_account: remote host address [0.0.0.0] obtained

Jun 23 17:59:25 Bja-ce1 config: ***pam_tac _pam_account: Service [shell]

Jun 23 17:59:25 Bja-ce1 config: ***pam_tac _pam_account: CmdLime [priv-lvl=15 cmd=telnet enable ]

Jun 23 17:59:25 Bja-ce1 config: ***pam_tac _pam_account: TaskID [5267]

Jun 23 17:59:25 Bja-ce1 config: ***pam_tac _pam_account: send packet to all servers

Jun 23 17:59:25 Bja-ce1 config: ***pam_tac _pam_account: connected with fd=10 (srv 0)

Jun 23 17:59:25 Bja-ce1 config: ***pam_tac _pam_account: [STOP] for [rnbce] sent successfully

Everything seems to work fine except that I cannot see on the ACS logs/reporting the commands entered on the CE cmd line. I Can see log entries for the start an stop events but no information regarding which command was entered.

I cannot find info regarding this issue on the several docs I come acrossed.

Has anyone had this problem?

Thanks in advance.

Ricardo

Zach Seils · ‎06-25-2005

Hi Ricardo,

Which ACS log are you looking in?

In addition, can you check the priv-lvl field? You may be seeing CSCeg90529.

~Zach

rlourenco · ‎07-06-2005

Hi Zach,

sorry for not replying you sooner.

I looked for ACS accounting and administration logs.

But I could not find any info regarding commands inserted on the CE command line.

My Privilege level is 15.

I have pri-lvl field selected on the Administration log configuration. But I have no information on this log.

Must probably I'm seing CSCeg90529.

The only difference is that I'm running a 5.2 ACNS image and the first-found in version for CSCeg90529 is a 5.3 release.

As soon as I have a confirmation I will post it here.

Thanks for your reply.

Regards,

Ricardo