Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4335
Views
20
Helpful
6
Replies

Tacacs+ Administration log Auditing

Go to solution
mahmoud.mussa
Level 1
Level 1

‎01-30-2011 06:12 AM - edited ‎03-10-2019 05:46 PM

Hello ,

I am working as internal Auditor in Bank and i am having doubts about something on the logs generated by TACAS+ looking for someone assist on this.

My cocern is about Firewall changes which triggered on the Tacacs+ Administration, It shows you in terms of adding an IP address as Source to specifc group ( objects) as destination. What if I need more details about the destiation objects prviliages which I am adding this source to ,how can i identify these changes?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎01-30-2011 11:26 AM

Looks like you want to see what destination user added in the network object. Well, If ASA is configured for command authorizataion and accounting then you can only see the command executed by the logged in user under tacacs administration.


Could you please get the output of the command sh run | in aaa ?



Regards,

Jatin


Do rate helpful posts-

~Jatin

View solution in original post

6 Replies 6

Go to solution
andamani
Cisco Employee
Cisco Employee

‎01-30-2011 09:06 AM

Hi,

I did not quite understand as to which fields you want on the accounting logs.

But there are more details which can be viewed if you configure them in that manner. The following link will help you configure the same on the ACS.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/LgsRpts.html#wp643747

choose System Configuration > Logging. In the Reports Configurations tables, click Configure for a log in the CSV column. configure the desired attributes.

Regards,

Anisha

P.S.: please mark this thread resolved if you feel your query is answered.

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎01-30-2011 11:26 AM

Looks like you want to see what destination user added in the network object. Well, If ASA is configured for command authorizataion and accounting then you can only see the command executed by the logged in user under tacacs administration.


Could you please get the output of the command sh run | in aaa ?



Regards,

Jatin


Do rate helpful posts-

~Jatin

Go to solution
mahmoud.mussa
Level 1
Level 1
In response to Jatin Katyal

‎01-30-2011 11:15 PM

Dear Jkatayl,

Exactly this is what I am looking for ...

I have get for you one sample of AAA Configration sending logs to one ASA firewall we have:-

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ host 10.10.32.19

timeout 5

key ******

aaa-server TACACS+ host 10.8.32.19

timeout 5

key ***********

aaa-server RADIUS protocol radius

aaa-server AuthOutbound protocol tacacs+ aaa authentication http console LOCAL aaa authentication enable console TACACS+ aaa authentication serial console TACACS+ aaa authentication ssh console TACACS+ aaa authorization command TACACS+ aaa accounting command TACACS+

Thanks,

Mahmoud

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to mahmoud.mussa

‎01-30-2011 11:32 PM

Hi Mahmoud,

You can send accounting messages to the TACACS+ accounting server when you enter any command other than show commands at the CLI.

To enable command accounting, enter the following command:

hostname(config)# aaa accounting command [privilege level] server-tag

and you do have this command in your configuration. Now if command accounting is not working in your case then you need to tell me what version of Cisco ACS are you running on, if it is ACS 4.1.1.23 then there is a defect that has been fixed in patc 5

The issue that you are facing could be due to,

CSCsg97429 - TACACS+ Command Accounting does not work in ACS 4.1(1) Build 23.

aaa-server AuthOutbound protocol tacacs+
aaa authentication http console LOCAL
aaa authentication enable console TACACS+
aaa authentication serial console TACACS+
aaa authentication ssh console TACACS+
aaa authorization command TACACS+
aaa accounting command TACACS+

How to configure command accounting on ASA
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mgaccess.html#wp1059882


Hope this helps.


Let me know if you need further help on this.



Regards,

Jatin



Do rate helpful posts~

~Jatin

Go to solution
mahmoud.mussa
Level 1
Level 1
In response to Jatin Katyal

‎01-30-2011 11:52 PM

Hi J katyal,

Thank you again for your helpfull answer ..

Actually we are running version 3.0 as of now and shortly we will be upgrading to V4.0 . But my concern is what if i have read only priviliage on ASA Firewall to verify for example the ports open for each object group in the Firewall as audition point view. For example of someone whants to have an internet access and he has been added to group has this priviliages of ( HTTP and FTP ). To verify this i believe no way can justify it unless i access the firewall and run " Show Run " command . Do you share with me the same .

Thanks

Mahmoud

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to mahmoud.mussa

‎01-31-2011 12:11 AM


If you manage firewall and you're asking this question in that perspective that how to controll user access on the firewall.


Read-only access

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#scenario2


If you're a user, has read-only aceess to firewall and no aceess to ACS/TACACS then there is no way that you can run other command apart from what we have defined on the ACS for you.


Rgds,

Jatin



Do rate helpful posts~

~Jatin
Customers Also Viewed These Support Documents