cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1855
Views
10
Helpful
7
Replies

TACACS+ Accounting Question

koguann1409
Level 1
Level 1

Dear all,


I would like to know TACACS+ accounting option in cisco.

We deployed AAA machine which is Avenda in our operation network and able to capture accounting commands ONLY for valid commands. Does the TACACS+ also can capture invalid commands and send to Avenda (Our AAA machine) ?

Please help to clarify.

3 Accepted Solutions

Accepted Solutions

Jagdeep Gambhir
Level 10
Level 10

Hi,

This is something device specific. In case of IOS it forwards only valid commands to tacacs server. Example- If we issue command "show user" it will log it and if we issue command "show dog" it will not be logged.

Hope that helps!

Regards,

~JG

Do rate helpful posts

View solution in original post

JG:
Thanks for the info. I didn't know that unknown commands are not being logged with IOS.

Useful info though.

Thanks.

Amjad

You want to say "Thank you"?
Don't. Just rate the useful answers,
that is more useful than "Thank you".

Rating useful replies is more useful than saying "Thank you"

View solution in original post

No, if the command is invalid it will not be authorized so no accounting will be performed. Keep in mind that accounting is the step that is performed after authorization. If a command is not authorized then accounting can not take place.

Sent from Cisco Technical Support iPad App

View solution in original post

7 Replies 7

Jagdeep Gambhir
Level 10
Level 10

Hi,

This is something device specific. In case of IOS it forwards only valid commands to tacacs server. Example- If we issue command "show user" it will log it and if we issue command "show dog" it will not be logged.

Hope that helps!

Regards,

~JG

Do rate helpful posts

JG:
Thanks for the info. I didn't know that unknown commands are not being logged with IOS.

Useful info though.

Thanks.

Amjad

You want to say "Thank you"?
Don't. Just rate the useful answers,
that is more useful than "Thank you".

Rating useful replies is more useful than saying "Thank you"

Hi Jagdeep,

Thanks for the useful info. Understood that the IOS version does not sent invalid command. Can i know how about the IOS-XR? Because we are using that particular as well.

Thanks

Ios-xr is a little different, the software will see which task group the user is mapped to. If the command falls under the task umbrella of the user then accounting will be permitted. Also this works the same for command authorization.

Hi Thanks, but does it captured the invalid commands and send to accounting AAA server?

No, if the command is invalid it will not be authorized so no accounting will be performed. Keep in mind that accounting is the step that is performed after authorization. If a command is not authorized then accounting can not take place.

Sent from Cisco Technical Support iPad App

Excellent therothical reply! Great man!