Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1657
Views
1
Helpful
4
Replies

TACACS Accounting

Go to solution
jharper2
Level 1
Level 1

‎02-09-2018 08:05 AM

I have a cisco ASR9K Series running Cisco IOS XR Software, Version 5.3.3. I am using ISE version 2.2.0.470. I have aaa accounting commands configured on the router. I am having trouble accounting for commands that are not authorized. Is there another command that I need to configure the router or a setting that I need to change in ISE to ensure all commands whether they are authorized or not are logged in ISE? 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
kthiruve
Cisco Employee
Cisco Employee
In response to jharper2

‎02-16-2018 11:47 AM

Thank you Paul and Ognyan.

Justin,

Please look at the how to guides for TACACS for best practices.

ISE Device Administration (TACACS+)

Couple of things

Make sure you use right group for tacacs. Use named group as above.

Also call out the privilege level of commands as mentioned above.

Remember that you have to authorize the shell before accounting.

Hope it helps.

Thanks

Krishnan

View solution in original post

0 Helpful
4 Replies 4

Go to solution
paul
Level 10
Level 10

‎02-09-2018 08:49 AM

Post your AAA accounting configuration.

0 Helpful

Go to solution
jharper2
Level 1
Level 1
In response to paul

‎02-09-2018 08:56 AM

aaa accounting exec default start-stop group tacacs+

aaa accounting commands default stop-only group tacacs+

0 Helpful

Go to solution
ognyan.totev
Level 5
Level 5
In response to jharper2

‎02-15-2018 04:49 AM

This is mine config for tacacs

aaa authentication login default group ISETEST local

aaa authentication enable default group ISETEST enable line none

aaa authorization console

aaa authorization config-commands

aaa authorization exec default group ISETEST local

aaa accounting commands 15 default start-stop group ISETEST

Go to solution
kthiruve
Cisco Employee
Cisco Employee
In response to jharper2

‎02-16-2018 11:47 AM

Thank you Paul and Ognyan.

Justin,

Please look at the how to guides for TACACS for best practices.

ISE Device Administration (TACACS+)

Couple of things

Make sure you use right group for tacacs. Use named group as above.

Also call out the privilege level of commands as mentioned above.

Remember that you have to authorize the shell before accounting.

Hope it helps.

Thanks

Krishnan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents