Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2360
Views
0
Helpful
1
Replies

Unable to configure vty accounting during initial setup

Go to solution
Don Maker
Level 1
Level 1

‎02-11-2020 07:38 AM - edited ‎02-21-2020 11:13 AM

We do most device builds by template here. We recently have been rolling out tacacs and when following our template build, we get an error in the accounting lines in the vty config. Please see below:

 

aaa config from template:

aaa new-model
aaa authentication login default local-case
aaa authentication login AAA-tacacs group CN-tacacs local-case
aaa authentication login CONSOLE local-case
aaa authentication enable default group CN-tacacs enable
aaa authentication dot1x default group CN-radius
aaa authorization console
aaa authorization exec CONSOLE local
aaa authorization exec AAA-tacacs group CN-tacacs local if-authenticated
aaa authorization commands 1 default group CN-tacacs local if-authenticated
aaa authorization commands 15 default group CN-tacacs local if-authenticated
aaa accounting exec AAA-tacacs start-stop group CN-tacacs
aaa accounting commands 1 AAA-tacacs start-stop group CN-tacacs
aaa accounting commands 15 AAA-tacacs start-stop group CN-tacacs
aaa accounting connection AAA-tacacs start-stop group CN-tacacs
aaa session-id common

 

vty config from template:

line con 0
authorization exec CONSOLE
logging synchronous
login authentication CONSOLE
stopbits 1
session-timeout 5
line vty 0 15
access-class 1 in
exec-timeout 15 0
authorization exec AAA-tacacs
accounting commands 1 AAA-tacacs
accounting commands 15 AAA-tacacs
accounting exec AAA-tacacs
login authentication AAA-tacacs
ipv6 access-class v6-VTY_ACCESS in
transport input ssh
transport output ssh

 

What happens, though, is when applying the vty config after the aaa, we get these error messages:

Switch(config-line)#accounting commands 1 AAA-tacacs
AAA: Warning accounting list "AAA-tacacs" is not defined for CMD priv 1

Switch(config-line)#accounting commands 15 AAA-tacacs
AAA: Warning accounting list "AAA-tacacs" is not defined for CMD priv 15

 

...and the accounting lines are absent from the config when I do a show run | s aaa

 

This will work if you apply the aaa/vty config later, once the switch is deployed, but always fails during the initial build in the lab. 

 

Note: almost all lab builds are done offline on a bench and not connected to any network services. 

 

Any suggestions or ideas?

 

 

Thank you!

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Don Maker
Level 1
Level 1

‎02-11-2020 09:28 AM

Figured it out. Need to define the servers right after the aaa-new model..then the rest of it works as intended.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Don Maker
Level 1
Level 1

‎02-11-2020 09:28 AM

Figured it out. Need to define the servers right after the aaa-new model..then the rest of it works as intended.

0 Helpful
Customers Also Viewed These Support Documents