cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
771
Views
0
Helpful
4
Replies

Is there a problem with accounting and ACS 4.1

fbenny
Level 1
Level 1

Good day all,

I just finished installing a brand new server with ACS 4.1.

When this new ACS 4.1 installation is approved, I will retire my old server that has ACS 3.1.

At this point the only problem that I have with ACS 4.1 is with accounting.

For example:

I used a test-router with all the necessary config pointing to my old ACS 3.1. Everything is working fine (authentication and accounting). If I enter a command on the test-router it is log on the ACS 3.1.

Now, if I modify the test-router to point to the new ACS 4.1, the ACS 4.1 will authenticate the test-router properly, but will not log any command I enter in the test-router. I did a capture between the test-router and ACS 4.1 and the test-router is sending accounting statement to ACS 4.1.

There is a lot a different config from ACS 3.1 to 4.1, but as far as I can see the config on both ACS is as similar as possible.

Is there anybody out there that was able to have ACS 4.1 to process accounting properly?

Any idea will help.

Thanks

Frank

Here my config:

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication login NO-AUTH none

aaa authorization exec default group tacacs+ local

aaa authorization commands 1 start-stop group tacacs+

aaa authorization commands 15 start-stop group tacacs+

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs

!

tacacs-server host 192.168.100.16 key *******

(the above command is the only command that I change for pointing to ACS 3.1 or ACS 4.1)

tacacs-server directed-request

1 Accepted Solution

Accepted Solutions

Please use the following link. There is 4.1 accumulative patch which contains the bug fix.

http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-3des

Dont forget to download the readme text file also.

Rate me if this helps.

View solution in original post

4 Replies 4

darpotter
Level 5
Level 5

DO you know if the accounting is definately arriving at the 4.1 server?

If you dont have a sniffer and you have the SW ACS you can do this

>net stop cstacacs

>cstacacs -z -e

You'll see all the T+ packets dumped to the command prompt window. If stuff is arriving you know it has to be an ACS issue - most likely config.

Darran

ACS 4.1.1.23 build has a bug on TACACS command accounting. The patch for this has been released and is available on CCO.

Good day,

If possible, could you please put the link for this patch. I can not find it in CCO.

Thanks

Frank.

Please use the following link. There is 4.1 accumulative patch which contains the bug fix.

http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-3des

Dont forget to download the readme text file also.

Rate me if this helps.