RE: Cisco ACS 4.2 and ASA

Shaughn,

Maybe command accounting is a newer feature but it is definitely available
in 8.2. (But it should be aaa accounting command privilege 15 TACACS+).

It is not what you are looking for. That is for local command accounting.

What do you want? Do you want accounting for what the users are accessing
when they VPN or just when they authenticate? What is the goal?

You may add the following

tunnel-group <your tunnel group> general-attributes

 accounting-server-group <SERVER-GROUP>

You may need to use RADIUS for this. I have not tested it before with
TACACS+. I am not sure it will gather everything you want but it should be
getting closer.

Also for future reference. If this is for work, which it seems to be as you
are not referencing tasks related to a practice lab then this is considered
off topic. It then is courtesy to add in the subject line OT: <subject> to
allow others to recognize what it is. This is a long standing rule for
group study.

Regards,

Tyson Scott - CCIE #13513 R&S, Security, and SP

Technical Instructor - IPexpert, Inc.

Mailto: <mailto:tscott_at_ipexpert.com> tscott_at_ipexpert.com

Telephone: +1.810.326.1444, ext. 208

From: Shaughn Smith [mailto:maniac.smg_at_gmail.com]
Sent: Tuesday, May 18, 2010 9:08 AM
To: Tyson Scott
Cc: Ryan West; Cisco certification
Subject: Re: Cisco ACS 4.2 and ASA

Commands is an invalid entry, however i entered privilege 1 and 15, it was
already in the range.

I can see logs now after matching on the ACL entry for my remote users,
however i cannot see remote user name in the logs, even though i have added
that as an attribute.

Supaswift(config)# aaa accounting commands ?
ERROR: % Unrecognized command
Supaswift(config)# aaa accounting command ?

configure mode commands/options:
  WORD Specify the name of TACACS+ (only) aaa-server group to be use
             command accounting
  privilege Specify this keyword to set command privilege levels to track

On Tue, May 18, 2010 at 2:59 PM, Tyson Scott <tscott_at_ipexpert.com> wrote:

Include
aaa accounting commands 0 TACACS+
aaa accounting commands 1 TACACS+
aaa accounting commands 15 TACACS+

Regards,
 
Tyson Scott - CCIE #13513 R&S, Security, and SP
Technical Instructor - IPexpert, Inc.
Mailto: tscott_at_ipexpert.com
Telephone: +1.810.326.1444, ext. 208
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130

IPexpert is a premier provider of Self-Study Workbooks, Video on Demand,
Audio Tools, Online Hardware Rental and Classroom Training for the Cisco
CCIE (R&S, Voice, Security & Service Provider) certification(s) with
training locations throughout the United States, Europe, South Asia and
Australia. Be sure to visit our online communities at
www.ipexpert.com/communities and our public website at www.ipexpert.com
<http://www.ipexpert.com/>

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Shaughn Smith

Sent: Tuesday, May 18, 2010 8:00 AM
To: Ryan West
Cc: Cisco certification
Subject: Re: Cisco ACS 4.2 and ASA

AAa configuration on the ASA

xxxxxxx# sh running-config | include aaa
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (inside) host xxx.xxx.xxx.xxx
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa accounting enable console TACACS+

On Tue, May 18, 2010 at 1:19 PM, Shaughn Smith <maniac.smg_at_gmail.com> wrote:

> Should have clarified, I can see entries in the passed and failed logs.
>
> AAA config coming up
>
> On Tue, May 18, 2010 at 1:18 PM, Ryan West <rwest_at_zyedge.com> wrote:
>
>> Can you post your AAA config? Do you see entries in the passed and
>> failed auth logs?
>>
>> Sent from handheld.
>>
>> On May 18, 2010, at 7:01 AM, "Shaughn Smith" <maniac.smg_at_gmail.com>
>> wrote:
>>
>> > Hi All
>> >
>> > I have a very strange problem. I am running Cisco ASC 4.2 as well as
>> > a 5540
>> > ASA, I have setup TACACS+ auth to the ACS which is working 100%.
>> > However
>> > when i try and view the reports for Tacacs+ accounting the reports are
>> > blank. Same goes for Tacacs+ Administration.
>> >
>> > I have seen there were some bugs with ACS 4.1 but havent been able
>> > to find
>> > any issues relating to 4.2, anyone here seen this before ?
>> >
>> > Thanks
>> >
>> > CCIE # 23962 (SP)
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
>> >
>> > _______________________________________________________________________
>>
>>
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
Received on Tue May 18 2010 - 09:20:43 ART