command accounting not working in ACS 4.2

amaerklin · ‎10-06-2011

Hi all,

I'm trying to log commands with my ACS 4.2 version, but the cmd section remains empty. Can someone help me to figure out why the commands are not logged?

infrastructure is configured for accounting as follows:

aaa accounting exec default stop-only group tacacs+

aaa accounting commands 15 default stop-only group tacacs+

logging in ACS is set to default and CSV report is enabled.

debugging on a switch gives a successfull accounting response and a packet capture at the ACS server gives an indication that packets are received by the server, but due to native encryption of the TACACS protocol I'm not able to verify the content.

so the question would be: Why is the ACS not able to log any commands under TACACS+ Accounting?

system release is: CiscoSecure ACS Release 4.2.(1) Build 15 Patch 2, there was an issue (CSCsm23558) with accounting in ACS 4.1 but should be solved according release notes for ACS 4.2.

any advice or hint to bring a bit light into the darkness would be much appreciated!

thanks

Nico

iceteanolemon · ‎05-30-2012

I am having a similar issue.

I have an ASA running 8.4(2) and I enabled accounting as well. I can see that the ASA is sending the accounting packets to the server but the server logs dont show anything.

ASA#

aaa accounting command server-group

aaa accounting enable console server-group

aaa accounting ssh console server-group

aaa accounting serial console server-group

Server Group: server-group

Server Protocol: tacacs+

Server Address: xxx.xxx.xxx.xxx

Server port: 49

Server status: ACTIVE, Last transaction at 15:33:03 PDT Wed May 30 2012

Number of pending requests 0

Average round trip time 15ms

Number of authentication requests 8100

Number of authorization requests 8247

Number of accounting requests 25

Number of retransmissions 0

Number of accepts 16028

Number of rejects 325

Number of challenges 27

Number of malformed responses 0

Number of bad authenticators 0

Number of timeouts 19

Number of unrecognized responses 0

Release 4.2(1) Build 15 Patch 8

Server Group:    server-group
Server Protocol: tacacs+
Server Address: xxx.xxx.xxx.xxx
Server port:     49
Server status:   ACTIVE, Last transaction at 15:33:03 PDT Wed May 30 2012
Number of pending requests              0
Average round trip time                 15ms
Number of authentication requests       8100
Number of authorization requests        8247
Number of accounting requests           25
Number of retransmissions               0
Number of accepts                       16028
Number of rejects                       325
Number of challenges                    27
Number of malformed responses           0
Number of bad authenticators            0
Number of timeouts                      19
Number of unrecognized responses        0

ACS4.2 doesnt show me anything in the logs.

Version: Release 4.2(1) Build 15 Patch 8

mauzamor · ‎05-31-2012

Hi there,

In ACS 4.x the section that you need to check for accounting is "TACACS+ Administration", let me know what you see in this section.

One thing that you should keep in mind iceteanolemon is that in the firewalls the "show" commands are not going to be sent to the ACS for accounting, the firewall is designed that way:

http://www.cisco.com/en/US/partner/docs/security/asa/asa82/command/reference/a1.html

"To send accounting messages to the TACACS+ accounting server when you enter any command other than show commands at the CLI, use the aaa accounting command command in global configuration mode."

Rate if it helps.

iceteanolemon · ‎05-31-2012

I noticed it about three minutes after posting!! Thanks for the reply, as always you guys are awesome!