Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3046
Views
5
Helpful
3
Replies

command accounting not working in ACS 4.2

amaerklin
Level 1
Level 1

‎10-06-2011 03:56 AM - edited ‎03-10-2019 06:27 PM

Hi all,

I'm trying to log commands with my ACS 4.2 version, but the cmd section remains empty. Can someone help me to figure out why the commands are not logged?

infrastructure is configured for accounting as follows:

aaa accounting exec default stop-only group tacacs+

aaa accounting commands 15 default stop-only group tacacs+

logging in ACS is set to default and CSV report is enabled.

debugging on a switch gives a successfull accounting response and a packet capture at the ACS server gives an indication that packets are received by the server, but due to native encryption of the TACACS protocol I'm not able to verify the content.

so the question would be: Why is the ACS not able to log any commands under TACACS+ Accounting?

system release is: CiscoSecure ACS Release 4.2.(1) Build 15 Patch 2, there was an issue (CSCsm23558) with accounting in ACS 4.1 but should be solved according release notes for ACS 4.2. 

any advice or hint to bring a bit light into the darkness would be much appreciated!

thanks

Nico

Labels:
0 Helpful
3 Replies 3

iceteanolemon
Level 5
Level 5

‎05-30-2012 03:35 PM

I am having a similar issue.

I have an ASA running 8.4(2) and I enabled accounting as well. I can see that the ASA is sending the accounting packets to the server but the server logs dont show anything.

ASA#

aaa accounting command server-group

aaa accounting enable console server-group

aaa accounting ssh console server-group

aaa accounting serial console server-group

Server Group:    server-group

Server Protocol: tacacs+

Server Address:  xxx.xxx.xxx.xxx

Server port:     49

Server status:   ACTIVE, Last transaction at 15:33:03 PDT Wed May 30 2012

Number of pending requests              0

Average round trip time                 15ms

Number of authentication requests       8100

Number of authorization requests        8247

Number of accounting requests           25

Number of retransmissions               0

Number of accepts                       16028

Number of rejects                       325

Number of challenges                    27

Number of malformed responses           0

Number of bad authenticators            0

Number of timeouts                      19

Number of unrecognized responses        0

Release 4.2(1) Build 15 Patch 8

Server Group:    server-group
Server Protocol: tacacs+
Server Address:  xxx.xxx.xxx.xxx
Server port:     49
Server status:   ACTIVE, Last transaction at 15:33:03 PDT Wed May 30 2012
Number of pending requests              0
Average round trip time                 15ms
Number of authentication requests       8100
Number of authorization requests        8247
Number of accounting requests           25
Number of retransmissions               0
Number of accepts                       16028
Number of rejects                       325
Number of challenges                    27
Number of malformed responses           0
Number of bad authenticators            0
Number of timeouts                      19
Number of unrecognized responses        0

ACS4.2 doesnt show me anything in the logs.

Version: Release 4.2(1) Build 15 Patch 8

0 Helpful

mauzamor
Level 1
Level 1
In response to iceteanolemon

‎05-31-2012 05:33 AM

Hi there,

In ACS 4.x the section that you need to check for accounting is "TACACS+ Administration", let me know what you see in this section.

One thing that you should keep in mind iceteanolemon is that in the firewalls the "show" commands are not going to be sent to the ACS for accounting, the firewall is designed that way:

http://www.cisco.com/en/US/partner/docs/security/asa/asa82/command/reference/a1.html

"To send accounting messages to the TACACS+ accounting server when you enter any command other than show commands at the CLI, use the aaa accounting command command in global configuration mode."

Rate if it helps.

iceteanolemon
Level 5
Level 5
In response to mauzamor

‎05-31-2012 07:57 AM

I noticed it about three minutes after posting!! Thanks for the reply, as always you guys are awesome!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents