Hello

I was testing the Device Admin using Radius (instead of TACACS+) and I was quite impressed with how well it works. For customers who only have a few devices and don't want to shell out the big bucks for a Device Admin license.  And it kind of makes sense for a simple use case where a user just wants to get to priv exec (lvl15) mode - it's what the customer is used to. They can of course make it more complex than this using the Cisco AVPair.

My only issue is that I was unable to tell the IOS-XE router (a CSR1000) that I want to log every command that the user entered.  This is very easy with TACACS.  Anyone does this with Radius?   I don't mean command Authorization ... I am specifically talking about logging (or accounting) the commands that have been entered during that session.

I have setup Radius Accounting at the start of the session, and also at the end of the Session, to ensure that the ISE Base Licenses are handled correctly.

[abier@centos ~]$ ssh bob@172.16.1.240
Password: 

CSR1#show run aaa
!
aaa authentication login default group radius-ise local
aaa authorization exec default group radius-ise if-authenticated 
aaa accounting exec default start-stop group radius-ise
aaa accounting update newinfo
!
radius server ise02
address ipv4 192.168.21.101 auth-port 1812 acct-port 1813
key 7 15355B000079252370
!
!
aaa group server radius radius-ise
server name ise02
mac-delimiter colon
!
aaa new-model

I decided to place the Policy Rule at the end of the other stuff to avoid confusion - I check for NAS Port Type = Virtual, and NAS Port Id prefix "tty"

Some wireshark analysis of the authentication