02-09-2018 08:05 AM
I have a cisco ASR9K Series running Cisco IOS XR Software, Version 5.3.3. I am using ISE version 2.2.0.470. I have aaa accounting commands configured on the router. I am having trouble accounting for commands that are not authorized. Is there another command that I need to configure the router or a setting that I need to change in ISE to ensure all commands whether they are authorized or not are logged in ISE?
Solved! Go to Solution.
02-16-2018 11:47 AM
Thank you Paul and Ognyan.
Justin,
Please look at the how to guides for TACACS for best practices.
ISE Device Administration (TACACS+)
Couple of things
Make sure you use right group for tacacs. Use named group as above.
Also call out the privilege level of commands as mentioned above.
Remember that you have to authorize the shell before accounting.
Hope it helps.
Thanks
Krishnan
02-09-2018 08:49 AM
Post your AAA accounting configuration.
02-09-2018 08:56 AM
aaa accounting exec default start-stop group tacacs+
aaa accounting commands default stop-only group tacacs+
02-15-2018 04:49 AM
This is mine config for tacacs
aaa authentication login default group ISETEST local
aaa authentication enable default group ISETEST enable line none
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group ISETEST local
aaa accounting commands 15 default start-stop group ISETEST
02-16-2018 11:47 AM
Thank you Paul and Ognyan.
Justin,
Please look at the how to guides for TACACS for best practices.
ISE Device Administration (TACACS+)
Couple of things
Make sure you use right group for tacacs. Use named group as above.
Also call out the privilege level of commands as mentioned above.
Remember that you have to authorize the shell before accounting.
Hope it helps.
Thanks
Krishnan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide