[c-nsp] Cisco logging commands

Justin Shore justin at justinshore.com
Tue Dec 8 18:20:22 EST 2009 

Henry-Nicolas Tourneur wrote:
> I'm not willing to use Tacacs+ because I'm setting-up a new server
> environment and I don't want
> to need to manually compile tac-plus and get broken dependencies after
> an upgrade.

I've been using OSS tacacs+ daemons for nearly a decade and have yet to 
run into a situation where it suddenly broke due to a dependency issue 
created when I upgraded something else.  This is coming from a person 
that compiles nearly everything on his servers from source including 
core libraries glibc, OpenSSL, etc.  Static linking is the simple answer 
if that's your concern anyway just like with any other OSS tool.

> Using tac-plus from the APT would be far more easier, unfortunately,
> it's not available any more.
> And, we are not interested in purchasing a Cisco ACS product just for
> doing what tac-plus does.

I vote for the Shrubbery.net version.  Worked perfectly for me for many 
years.

Also, here's some AAA config you'll need for tacacs to log ANYTHING that 
gets typed on the CLI in ANY privilege level, including typos:

aaa accounting delay-start
aaa accounting exec NETACC
  action-type start-stop
  group tacacs+
!
aaa accounting commands 0 NETACC
  action-type stop-only
  group tacacs+
!
aaa accounting commands 1 NETACC
  action-type stop-only
  group tacacs+
!
aaa accounting commands 2 NETACC
  action-type stop-only
  group tacacs+
!
aaa accounting commands 3 NETACC
  action-type stop-only
  group tacacs+
!
aaa accounting commands 4 NETACC
  action-type stop-only
  group tacacs+
!
aaa accounting commands 5 NETACC
  action-type stop-only
  group tacacs+
!
aaa accounting commands 6 NETACC
  action-type stop-only
  group tacacs+
!
aaa accounting commands 7 NETACC
  action-type stop-only
  group tacacs+
!
aaa accounting commands 8 NETACC
  action-type stop-only
  group tacacs+
!
aaa accounting commands 9 NETACC
  action-type stop-only
  group tacacs+
!
aaa accounting commands 10 NETACC
  action-type stop-only
  group tacacs+
!
aaa accounting commands 11 NETACC
  action-type stop-only
  group tacacs+
!
aaa accounting commands 12 NETACC
  action-type stop-only
  group tacacs+
!
aaa accounting commands 13 NETACC
  action-type stop-only
  group tacacs+
!
aaa accounting commands 14 NETACC
  action-type stop-only
  group tacacs+
!
aaa accounting commands 15 NETACC
  action-type stop-only
  group tacacs+
!
aaa accounting connection NETACC
  action-type stop-only
  group tacacs+
!
line vty 0 15
  accounting connection NETACC
  accounting commands 0 NETACC
  accounting commands 1 NETACC
  accounting commands 2 NETACC
  accounting commands 3 NETACC
  accounting commands 4 NETACC
  accounting commands 5 NETACC
  accounting commands 6 NETACC
  accounting commands 7 NETACC
  accounting commands 8 NETACC
  accounting commands 9 NETACC
  accounting commands 10 NETACC
  accounting commands 11 NETACC
  accounting commands 12 NETACC
  accounting commands 13 NETACC
  accounting commands 14 NETACC
  accounting commands 15 NETACC
  accounting exec NETACC


The syntax is new beginning with 12.4(24)T or thereabouts but the gist 
of it is the same.  Just rewrite the 'aaa accounting commands' lines if 
you're using an older IOS rev.  Couple that with your normal tacacs 
config and you'll log every single thing typed on the VTYs.  Don't 
forget your other lines though.

Justin

More information about the cisco-nsp mailing list