cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
477
Views
7
Helpful
8
Replies

Juniper devices and allot no logs for tacacs command accounting

drbadar1126
Level 1
Level 1

I enrolled juniper devices and allot in Cisco ISE, but i notice there is no logs for tacacs command accounting. but all of our cisco devices showing logs history of commands inputted. please help

8 Replies 8

Arne Bier
VIP
VIP

There is nothing required on the ISE side to record/log TACACS+ command accounting. The NAD devices are responsible for sending those accounting requests to the TACACS+ server.

I don't know anything about Juniper commands, but in the IOS world there are generally at least two commands required. Accounting for the exec level

aaa accounting exec default start-stop group dnac-network-access-group

TACACS+ Accounting must be enabled for every Priv Level for which command accounting is required - e.g. for priv 15

aaa accounting commands 15 default start-stop group dnac-network-access-group

But if I recall, simple commands like "show version" are not run level 15. I think you have to include priv 1 as well. Therefore I tend to do this:

aaa accounting commands 0 default start-stop group dnac-network-tacacs-group
aaa accounting commands 1 default start-stop group dnac-network-tacacs-group
aaa accounting commands 15 default start-stop group dnac-network-tacacs-group

Your question is possibly more aimed at a Juniper forum - but see what you can configure on the box and perhaps it's vaguely similar

 

 

 

thank you for your kind reply. is device profile configuration in ISE will provide also the solution? please see https://community.cisco.com/t5/security-knowledge-base/ise-third-party-nad-profiles-and-configs/ta-p/3648719

there are two 
TACACS have two parts for device admin 
1- TACACS commend sets <<- here is issue from what you see in cisco and juniper 
2- TACACS profile <<- this will allow user to auth and give it privilege 

Screenshot (200).pngScreenshot (203).png

thank you, i will check the video for my reference,

Arne Bier
VIP
VIP

ISE Network Device Profiles are there to normalise the RADIUS requirements in multi-vendor products - e.g. you tell ISE in which format a Juniper switch would make a MAB request, or how to send a CoA to a Juniper device.  It does not apply to TACACS+.  TACACS+ is mostly very well supported and documented for Cisco devices (since it's a Cisco protocol) - but other vendors do implement TACACS+, but not sure whether they always support the same features - e.g. per command accounting.  If they send the correctly formatted TACACS+ requests to ISE, then ISE should interpret and log those requests.

You have to explore the Juniper TACACS+ commands to see what's possible.  

If you have Juniper devices in your ISE, then you could also use a Cisco Network Device Profile. But usually, it's nicer for readability/documentation if you made a Juniper profile (tick TACACS+ box) and then apply that to your Juniper Network Devices in ISE.  

RADIUS is a lot more complex, and you can adapt the 3rd party vendor products to work in harmony with ISE Normalised configs. And with RADIUS you must/should always tag your RADIUS Authorization Profiles with that same Device Profile (e.g. Juniper).  With TACACS+, there is no requirement/possibility to do this.

thank you, i checked my configuration and found out there is no accounting command in juniper device. i will try to add and i will give an update

Arne Bier
VIP
VIP

@MHM Cisco World - the guy is asking about TACACS+ command accounting. You don't configure that in ISE or in any TACACS+ server. Clients make Accounting requests to the server ... it's the same for any vendor (Cisco, Juniper, etc.) - Accounting is configured on the NAD. And as long as the vendor has implement TACACS protocol correctly, ISE will log and allow reporting etc.

FYI and update, after adding

set system accounting events login

set system accounting events change-log

set system accounting events interactive-commands

set system accounting events configuration

set system accounting destination tacplus

Juniper commands is now logging in commands accounting