Solved: Re: Logging all commands through TACACS command accounting

jharper2 · ‎01-26-2018

Are all commands logged in ISE or just successful commands that are accepted by the device? If all commands are being logged by ISE how do I view the failed attempts? For example, if a user has access to view an interface but does not have access to make configuration will ISE log an attempt if the user tries to make a config change to the interface?

paul · ‎01-26-2018

This are a few things here:

What gets authorized depends on your AAA command authorization setting. You can authorize level 0,1 and 15 commands to authorize all commands if you want, but only level 15 commands are really worth authorizing.
By default on most Cisco equipment command authorization stops when you enter "config t" mode. You can keep command authorization running with the "aaa authorization config-commands" command, but that is a bit overkill unless you have a specific need to have different levels of config access.
You can choose to account for commands at levels 0,1 and 15. If you want to account for all commands a user types in you would enable all 3 levels. I usually authorize only 15 but account for 0, 1 and 15.
Command accounting doesn't stop once you enter config mode. All commands will be accounted for.

So with all that being said. Whatever commands you are authorizing will show up in the TACACS live logs and TACACS authorization report. Both are very tricky to view because you don't see the command attempted until you drill into the details of the record, but accepts and denies are logged.

If you want a detail of the commands executed you can run a TACACS accounting report. That will give you the full picture about what happened when the user was on the switch. Denied commands are not accounted for, but they would show up in the authorization report/live logs.

View solution in original post

paul · ‎01-26-2018

This are a few things here:

What gets authorized depends on your AAA command authorization setting. You can authorize level 0,1 and 15 commands to authorize all commands if you want, but only level 15 commands are really worth authorizing.
By default on most Cisco equipment command authorization stops when you enter "config t" mode. You can keep command authorization running with the "aaa authorization config-commands" command, but that is a bit overkill unless you have a specific need to have different levels of config access.
You can choose to account for commands at levels 0,1 and 15. If you want to account for all commands a user types in you would enable all 3 levels. I usually authorize only 15 but account for 0, 1 and 15.
Command accounting doesn't stop once you enter config mode. All commands will be accounted for.

So with all that being said. Whatever commands you are authorizing will show up in the TACACS live logs and TACACS authorization report. Both are very tricky to view because you don't see the command attempted until you drill into the details of the record, but accepts and denies are logged.

If you want a detail of the commands executed you can run a TACACS accounting report. That will give you the full picture about what happened when the user was on the switch. Denied commands are not accounted for, but they would show up in the authorization report/live logs.