ACS 3.0 logging detection

ROBERT TOGONON · ‎08-12-2002

Does ACS 3.0 has a logging that detects any changes done on the switches or routers? Can someone point me a right direction? I noticed it only logged who is login and on what time. Thank you in advance.

albadger · ‎08-12-2002

ACS 3.0 will log all accounting packets, depending on what the NAS is capable of sending. If you need to log commands that are processed on the NAS, you will need to utilise command authorization.

Command Authorization works only with Tacacs and will query the ACS server every time someone enters a command to ensure they are allowed to run the command. Accounting can then be done when the requests are approved by the ACS server.

ROBERT TOGONON · ‎08-13-2002

Thanks, Alison. Do you happen to know the links of documentation for basic command authorization for me to look at?

albadger · ‎08-13-2002

There are two choices in as far as the ACS 3.0 configuration is concerned - you can either implement shared profile components or you can simply add the command authorization straight to the group settings.

Shared Profile Components (for Command Authorization Sets): http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/csnt30/user/c.htm#xtocid1001113

Configuring a Shell Command Authorization Set for a User Group: http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/csnt30/user/g.htm#xtocid1197921

As for a NAS sample config, there is not one currently on the Cisco website, however the following is one that I had working in the lab:

manning#wr t

Building configuration...

Current configuration : 1251 bytes

!

version 12.1

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname manning

!

aaa new-model

aaa authentication login default group tacacs+

aaa authentication login console none

aaa authorization config-commands

aaa authorization exec default group tacacs+

aaa authorization exec console none

aaa authorization commands 15 default group tacacs+

aaa authorization commands 15 console none

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

enable secret 5 $1$KdQu$nA9WcTUL295k9jp7jpVsK.

!

--More--

2w6d: %SYS-5-CONFIG_I: Configured from console ! e

!

ip subnet-zero

!

ip audit notify log

ip audit po max-events 100

!

interface FastEthernet0/0

ip address 10.64.21.251 255.255.255.240

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.64.21.241

ip http server

!

tacacs-server host 10.64.21.242 key cisco123

!

line con 0

exec-timeout 0 0

authorization commands 15 console

authorization exec console

login authentication console

line aux 0

line vty 0 4

authorization exec test

login authentication test

!

no scheduler allocate

end