11-29-2005 05:24 AM
folks
we have a tacacs server used for authentication purposes but i would also like it to record any config changes made to our kit
is there a command set for this?
thanks to anyone taking the time and effort to reply
12-05-2005 09:28 AM
not sure if you can record config changes from the tacacs server, check out the following link for basic tacacs configuration :
http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example09186a0080093c7c.shtml
12-05-2005 10:22 AM
TACACS is a AAA server (Authentication, Authorization, and Accounting) - i.e., loosely the "A" in the FCAPS network management model (Fault, Configuration, Accounting, Performance and Security - see http://www.iec.org/online/tutorials/ems/topic03.html for more).
What you seem to be asking for is Configuration Management - the "C". Cisco's product that targets that capability is the RME component of CiscoWorks LAN Management Solution (LMS).
If all you want is configuration diff detection and archiving, take a look at the open source RANCID tool. See http://www.shrubbery.net/rancid/ for an overview and download or http://www.networkcomputing.com/showArticle.jhtml?articleID=165701527 for a review.
12-06-2005 02:31 AM
many thanks for your replies folks
greatly appreciated
12-06-2005 08:31 AM
Michael
I believe that I understand your question a bit differently than the previous responses. If I am correct you are asking about the ability to record and report through TACACS about config changes that are made on the routers and switches in your network that currently use the TACACS server for authentication.
If your TACACS server is the Cisco ACS server then you can accomplish what you are asking using the accounting part of aaa. On the routers and switches configure accounting for commands. The syntax on routers is:
aaa accounting commands 15 default start-stop group tacacs+
The syntax on catalyst switches for config commands is:
set accounting commands enable config stop-only tacacs+
If you want to see all privilege level commands use:
set accounting commands enable enable stop-only tacacs+
If you configure this the router or switch will send records to TACACS which will record config changes. We do this routinely on routers and switches at a customer site and it works well for us.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide