Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3398
Views
1
Helpful
3
Replies

ISE not receiving TACACS command accounting

Gagandeep Singh
Cisco Employee
Cisco Employee

‎05-26-2017 10:41 AM

Hi Team,

Problem description:

CU is not able to see from his ISE server any accounting data from Big Switch vendor(switch devices) . He have issue only with this vendor, other devices is working fine. We are able to see only accounting start/stop data, but no what he typed from switch side.

Other information: 

Tacacs+ secret key is MVHMGMT

What we can see from pcap is:

Frame 273: 249 bytes on wire (1992 bits), 249 bytes captured (1992 bits)

Ethernet II, Src: Dell_45:5a:24 (f4:8e:38:45:5a:24), Dst: Vmware_9a:01:9a (00:50:56:9a:01:9a)

Internet Protocol Version 4, Src: 10.97.10.9, Dst: 10.97.14.251

Transmission Control Protocol, Src Port: 49077 (49077), Dst Port: 49 (49), Seq: 1, Ack: 1, Len: 183

TACACS+

  Major version: TACACS+

  Minor version: 0

  Type: Accounting (3)

  Sequence number: 1

  Flags: 0x00 (Encrypted payload, Multiple Connections)

  Session ID: 4186501883

  Packet length: 171

  Encrypted Request

  Decrypted Request

  Flags: 0x08

  Auth Method: NOT_SET (0x00)

  Privilege Level: 1

  Authentication type: ASCII (1)

  Service: Login (1)

  User len: 14

  User: gabriel_gearip

  Port len: 0

  Remaddr len: 11

  Remote Address: 10.94.75.18

  Arg count: 4

  Arg[0] length: 18

  Arg[0] value: reason=cli.command

  Arg[1] length: 24

  Arg[1] value: task_id=Session@2fd50cda

  Arg[2] length: 75

  Arg[2] value: session_id=2fd50cda6333c47aa8f69cd6f4db70db8c3ffd8305cbdd7418271a2bcc47e8fb

  Arg[3] length: 16

  Arg[3] value: cmd_args=no shut

We can see the accounting data from pcap cmd_args=no shut

Troubleshooting :

In PCAP can see accounting request contains commands. However, ISE doesn't show up any command in Tacacs command accounting. Tacacs accounting works for start and stop packets.

Checked aaa configuration on big fabric device and found that it only supports exec accounting and doesn't support command authorization and command accounting that could be the reason behind not having command accounting.

http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/fsecur_r/srfacct.html

Configuration for reference:

~~~~ Appliance ~~~~~~~~~~

Name : Big Cloud Fabric

Build date : 2017-04-30 00:05:42 UTC

Build user : bsn

Ci build number : 22

Ci job name : bcf-4.1.5

Community edition : False

Release string : Big Cloud Fabric 4.1.5 (bcf-4.1.5 #22)

Version : 4.1.5

standby CTC-DCD-FAB1-CNT2#

standby CTC-DCD-FAB1-CNT2# sh run | in aaa

! aaa

aaa accounting exec default start-stop group tacacs+ local

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ local

Attached pcap for reference

Any assistance would be appreciated.

Thanks in Advance

Regards

Gagan

TCPDump (1).pcap.zip
0 Helpful
3 Replies 3

paul
Level 10
Level 10

‎05-26-2017 11:27 AM

If this is the snippet of your AAA config:

aaa accounting exec default start-stop group tacacs+ local

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ local

You don't have any command accounting enabled.  You are only doing exec accounting which is exactly what you are seeing in the logs.  You need to add:

aaa accounting commands 0 default stop-only group tacacs+

aaa accounting commands 1 default stop-only group tacacs+

aaa accounting commands 15 default stop-only group tacacs+

You probably only care about lvl 15 commands only.

0 Helpful

Gagandeep Singh
Cisco Employee
Cisco Employee
In response to paul

‎05-26-2017 11:50 AM

Thanks Paul for responding.

It means this is expected behavior from ISE in terms of  TACACS command accounting not showing any logs from this device. The device not capable of command accounting. There is only exec authorization option.

The only concern customer has about the pcap where we can see commands coming in accounting packet but doesn't show up in command accounting.

Regards

Gagan

0 Helpful

paul
Level 10
Level 10
In response to Gagandeep Singh

‎05-26-2017 12:03 PM

Hmm yeah that is odd about the PCAP.  I wonder if the device is not formatting the command accounting correctly as it doesn't truly support it.  You could PCAP a device that supports command accounting for sure and compare the fields.  Not even sure why it would be sending the command accounting packets.  Looks like a bad implementation of TACACS on the Big Cloud Fabric device.

Customers Also Viewed These Support Documents