03-09-2005 11:57 AM - edited 03-10-2019 02:02 PM
Hi all,
I am having an issue with the tacacs+ server not logging login requests or commands entered. I am running the tac_plus.F4.0.4.alpha release that cisco provides for free on a mandrake 10.1 linux box. I am able to use the server to authenticate logins to the routers but it is not logging those requests.
Here is the config I used on one of our routers.
aaa group server tacacs+ prego
server xxx.xxx.xxx.xxx
!
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa accounting exec default start-stop group prego
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common
ip subnet-zero
Also here is a sh verion
Cisco Internetwork Operating System Software
IOS (tm) 3700 Software (C3725-IS-M), Version 12.2(15)ZJ3, EARLY DEPLOYMENT RELEASE SOFTWARE (fc2)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Thu 25-Sep-03 22:23 by eaarmas
Image text-base: 0x60008954, data-base: 0x61C2C000
ROM: System Bootstrap, Version 12.2(8r)T2, RELEASE SOFTWARE (fc1)
ROM: 3700 Software (C3725-I-M), Version 12.2(8)T10, RELEASE SOFTWARE (fc1)
PRVGW3725 uptime is 10 weeks, 1 day, 7 hours, 35 minutes
System returned to ROM by power-on
System image file is "flash:c3725-is-mz.122-15.ZJ3.bin"
cisco 3725 (R7000) processor (revision 0.1) with 121856K/9216K bytes of memory.
Processor board ID JMX0749L1XC
R7000 CPU at 240Mhz, Implementation 39, Rev 3.3, 256KB L2 Cache
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
2 FastEthernet/IEEE 802.3 interface(s)
2 Serial network interface(s)
DRAM configuration is 64 bits wide with parity disabled.
55K bytes of non-volatile configuration memory.
31360K bytes of ATA System CompactFlash (Read/Write)
Configuration register is 0x2102
Any help would be great.
Thank you
Joseph Jackson
03-09-2005 09:07 PM
you need to enable aaa authorisation on the router ( ios ) device
for e.g you want to log level 15 cmds then it would be like this
aaa authorisation commands level 15 default group tacacs+ if-authenticated
explore the Cisco IOS aaa authorisation cmds a little more & you will know what to do
03-10-2005 06:45 AM
I do not configure my routers with aaa authorization commands level 15 and my routers are reporting (accounting) level 15 commands just fine. So I disagree that this is required to get the results that he wants.
I notice in the original config that the accounting exec uses group prego while the authentication uses group tacacs+. I am not sure if there is an issue with the group prego but I would suggest changing the config for accounting to use group tacacs+ and see what happens.
HTH
Rick
03-10-2005 09:02 AM
Thank you both for replying to my post. I have entered what you both said but still no luck. Here is the updated config file showing the aaa stuff
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa session-id common
ip subnet-zero
If you guys can think of anything else I'll give it a try.
03-10-2005 09:59 AM
If you are able to authenticate via TACACS I would believe that this indicates that there is not a problem with your configuration of the TACACS server(s) (addresses are correct, keys are correct, etc) and that the TACACS server recognizes the router ok.
So I assume that either there is some problem on the router generating the accounting records. Or that there might be a problem on the server and receiving and processing the accounting records.
As a next step in investigating this issue I suggest that you run two debugs on the router:
debug aaa accounting
debug tacacs accounting
While the debug is running have someone access the router and login, access privilege mode, and execute several commands. Then post any debug output.
HTH
Rick
03-10-2005 10:59 AM
Rick,
I did both of those commands and then logged into the router from another crt term and did not see any debug msgs.
03-10-2005 01:24 PM
How are you looking for the debug messages? (are you logging to logging buffered debug and then using the show log command, or are you logged on somewhere with terminal monitor enabled while the testing activity takes place?)
Please do the test again and this time add another debug: debug tacacs authentication
That should generate some debug output. If we see the authentication output but no accounting output then there is a problem that the router is not generating accounting. If the authentication does not produce output then we have to look more carefully at where the output is going and how to find it.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide