05-26-2017 10:41 AM
Hi Team,
Problem description:
CU is not able to see from his ISE server any accounting data from Big Switch vendor(switch devices) . He have issue only with this vendor, other devices is working fine. We are able to see only accounting start/stop data, but no what he typed from switch side.
Other information:
Tacacs+ secret key is MVHMGMT
What we can see from pcap is:
Frame 273: 249 bytes on wire (1992 bits), 249 bytes captured (1992 bits)
Ethernet II, Src: Dell_45:5a:24 (f4:8e:38:45:5a:24), Dst: Vmware_9a:01:9a (00:50:56:9a:01:9a)
Internet Protocol Version 4, Src: 10.97.10.9, Dst: 10.97.14.251
Transmission Control Protocol, Src Port: 49077 (49077), Dst Port: 49 (49), Seq: 1, Ack: 1, Len: 183
TACACS+
Major version: TACACS+
Minor version: 0
Type: Accounting (3)
Sequence number: 1
Flags: 0x00 (Encrypted payload, Multiple Connections)
Session ID: 4186501883
Packet length: 171
Encrypted Request
Decrypted Request
Flags: 0x08
Auth Method: NOT_SET (0x00)
Privilege Level: 1
Authentication type: ASCII (1)
Service: Login (1)
User len: 14
User: gabriel_gearip
Port len: 0
Remaddr len: 11
Remote Address: 10.94.75.18
Arg count: 4
Arg[0] length: 18
Arg[0] value: reason=cli.command
Arg[1] length: 24
Arg[1] value: task_id=Session@2fd50cda
Arg[2] length: 75
Arg[2] value: session_id=2fd50cda6333c47aa8f69cd6f4db70db8c3ffd8305cbdd7418271a2bcc47e8fb
Arg[3] length: 16
Arg[3] value: cmd_args=no shut
We can see the accounting data from pcap cmd_args=no shut
Troubleshooting :
In PCAP can see accounting request contains commands. However, ISE doesn't show up any command in Tacacs command accounting. Tacacs accounting works for start and stop packets.
Checked aaa configuration on big fabric device and found that it only supports exec accounting and doesn't support command authorization and command accounting that could be the reason behind not having command accounting.
http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/fsecur_r/srfacct.html
Configuration for reference:
~~~~ Appliance ~~~~~~~~~~
Name : Big Cloud Fabric
Build date : 2017-04-30 00:05:42 UTC
Build user : bsn
Ci build number : 22
Ci job name : bcf-4.1.5
Community edition : False
Release string : Big Cloud Fabric 4.1.5 (bcf-4.1.5 #22)
Version : 4.1.5
standby CTC-DCD-FAB1-CNT2#
standby CTC-DCD-FAB1-CNT2# sh run | in aaa
! aaa
aaa accounting exec default start-stop group tacacs+ local
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
Attached pcap for reference
Any assistance would be appreciated.
Thanks in Advance
Regards
Gagan
05-26-2017 11:27 AM
If this is the snippet of your AAA config:
aaa accounting exec default start-stop group tacacs+ local
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
You don't have any command accounting enabled. You are only doing exec accounting which is exactly what you are seeing in the logs. You need to add:
aaa accounting commands 0 default stop-only group tacacs+
aaa accounting commands 1 default stop-only group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
You probably only care about lvl 15 commands only.
05-26-2017 11:50 AM
Thanks Paul for responding.
It means this is expected behavior from ISE in terms of TACACS command accounting not showing any logs from this device. The device not capable of command accounting. There is only exec authorization option.
The only concern customer has about the pcap where we can see commands coming in accounting packet but doesn't show up in command accounting.
Regards
Gagan
05-26-2017 12:03 PM
Hmm yeah that is odd about the PCAP. I wonder if the device is not formatting the command accounting correctly as it doesn't truly support it. You could PCAP a device that supports command accounting for sure and compare the fields. Not even sure why it would be sending the command accounting packets. Looks like a bad implementation of TACACS on the Big Cloud Fabric device.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide