Cisco ISE doesn't show set commands in TACACS Command Accounting

dijix1990 · ‎10-07-2024

I found interesting things in ISE 3.2. I configured policy set for some users after some time I wanted to get report "TACACS Command Accounting" and for users with policy set I could see only two commands

terminal no monitor
terminal pager 0

but if I open detail report on the "Live Logs" I can see that there are commands which I permited

for other users without comands policy sets (just priv 15) I can see all the command which were performed on the device

problem only for FW

ahollifield · ‎10-07-2024

What is "FW"? Sounds like the NAD is not sending or is not properly configured for TACACS+ Accounting.

dijix1990 · ‎10-07-2024

Firewall, not properly? But why for users without tacacs command policy sets I can see every commands via report?

ahollifield · ‎10-07-2024

What is the firewall device? Maybe that particular NAD doesn't send TACACS+ accounting when a command set is applied for TACACS+ Authorization? Not sure. Where as if no command set is assigned then the NAD does send TACACS+ accounting?

dijix1990 · ‎10-07-2024

It's different, frp1010/2120/4125 with asa software. Don't know why, I just delete command set for particular users and after it I can see via report. And I can see every commands for users with command set via Tacacs Live page. Strange behaviour

ahollifield · ‎10-07-2024

That’s weird for sure, I would open a TAC case. Why ASA and not FTD though? Nothing to do with the question just curious

dijix1990 · ‎10-08-2024

We are going to move to FTD next year.

MHM Cisco World · ‎10-07-2024

The command is from FMC for firepower so you need to config fmc with ISE tacacs

Also same for ASDM (not sure how we can config it).

I. E. FW need to use cli for tacacs work correctly

https://docs.calebsargeant.com/en/latest/networking/cisco/core-security/network-security-with-cisco-firepower/2.-configuring-aaa-on-an-ftd-appliance-for-use-with-cisco-ise.html

MHM