09-28-2007 06:08 AM
I want to log all commands entered on a switch, however I can't seem to find a command to do that. Is this possible? Or am I stuck with the generic "configured from console by USERID" messages as the most detail I can get?
09-28-2007 06:32 AM
Look into AAA solutions such as Cisco Secure ACS:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/index.html
09-28-2007 07:16 AM
I am using ACS, however I am not sure how I would set that up to log commands.
I have tried to add this:
aaa accounting commands 15 default start-stop group tacacs+
but that does not seem to work.
Any thoughts?
09-28-2007 07:22 AM
By "that does not seem to work" you mean you can't "go to the Reports part of ACS. Pull up the TACACS+ Administration report. (TACACS+ Accounting tracks changes you made to ACS itself). ... Note that you can clearly see who issued each command, when they did it, and what the command was"?
Does your AAA config look similar to this?
aaa new-model
aaa authentication login default group tacacs+ line enable
aaa authentication enable default group tacacs+ enable line
aaa authorization exec default if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!
ip tacacs source-interface Loopback0
!
tacacs-server host 10.20.1.20 key pleasetrustme
tacacs-server directed-request
09-28-2007 07:43 AM
By does not seem to work - yes, I go into the ACS under Reports - in TACACS+ Administration, there is nothing. In TACACS+ Accounting, there is info, but nothing relating to commands issued.
I have verified that the there is a check in the system control for logging.
I have this for AAA config:
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization console
aaa authorization exec default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
tacacs-server host 1.2.3.4 key the_key
tacacs-server host 1.2.3.5 key the_key
tacacs-server directed-request
radius-server source-ports 1645-1646
I am obviously missing something... thanks for your input!
09-28-2007 09:44 AM
The documentation makes me suspect "aaa authorization commands 1 default group tacacs+ if-authenticated none" is a pre-requisite for "aaa accounting commands 15 default start-stop group tacacs+" to start logging commands issued. In other words, commands Authorization has to be set up (on both the router and ACS) before commands Accounting takes place, as far as Cisco Secure ACS is concerned. So you'd need to configure/authorize on the ACS what commands that particular user can execute.
10-04-2007 07:09 AM
Apparently, I needed a patch (applACS-4.1.1.23.5.zip) for my ACS server for this to work. Once I applied that, the TACACS+ Administration report populated.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide