Cisco ACS server

Patrick Laidlaw · ‎10-20-2004

Hello I'm haveing problems logging exec commands with Cisco ACS server when we use our own groups instead of the default command.

currently were trying to use the following commands for aaa.

aaa authentication login vtyport group tacacs+ enable

aaa authentication login consoleport group tacacs+ enable

aaa authorization config-commands

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization exec vtyport group tacacs+ if-authenticated

aaa authorization exec consoleport group tacacs+ if-authenticated

aaa authorization commands 15 vtyport group tacacs+ if-authenticated

aaa authorization commands 15 consoleport group tacacs+ if-authenticated

aaa authorization network vtyport group tacacs+

aaa authorization network consoleport group tacacs+

aaa accounting exec vtyport start-stop group tacacs+

aaa accounting exec consoleport start-stop group tacacs+

aaa accounting commands 15 vtyport start-stop group tacacs+

aaa accounting commands 15 consoleport start-stop group tacacs+

aaa accounting network vtyport start-stop group

tacacs+

aaa accounting network consoleport start-stop group tacacs+

line vty 0 4

access-class 102 in

authorization commands 15 vtyport

authorization exec vtyport

accounting commands 15 vtyport

login authentication vtyport

transport input telnet

For somereason ACS will let me login and records me logging in but it won't log any of the commands I issue on the router. If I input the command "aaa accounting commands 15 default start-stop group tacacs+" Cisco ACS will then log, anyone have any idea why my groups won't log to the ACS server?

Thanks

pvanvuuren · ‎10-21-2004

This is a bit strange. I tested this with the following config and works fine.

aaa new-model

aaa authentication login default group tacacs+ line

aaa authentication login notac line

aaa authentication login vtyport group tacacs+ line

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization exec vtyport group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization commands 15 vtyport group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting exec vtyport start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting commands 15 vtyport start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

!

line vty 1

password 7 045A

authorization exec vtyport

accounting commands 15 vtyport

login authentication vtyport

!

I recieved the commands logged to the ACS server. I used this config on a 2950. IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(12c)EA1, RELEASE SOFTWARE (fc1).

Not sure if its a bug on your IOS or perhaps something else. Try it again using a fresh aaa config.

P

Patrick Laidlaw · ‎10-21-2004

Well the issue is trying to do it with just the vtyport group and not the "default" group. When I use the aaa accounting commands 15 default start-stop group tacacs+" it works for me I was just trying to figure out if there was some issue why I couldn't use just the "aaa accounting commands 15 vtyport start-stop group tacacs+"

Thanks.