[f-nsp] AAA accounting
Daniel Schmidt
daniel.schmidt at wyo.gov
Tue Nov 15 12:19:06 EST 2016
What version of tacacs are you using? What version of code on the ICX?
The relevant command is:
aaa accounting commands 0 default start-stop tacacs+
Which I have on my gear, and I just tested it. It works. Well, my
timezone is also Alaska which is weird, which it isn't and it weird. The
only thing I can think of is that perhaps it's your enable - I send
priv-lvl 15 (or brocade-privlvl 1). Netirons will ask for your username
when you enable, implying that Brocade doesn't store username when it
enables. Maybe that is why it doesn't log it.
On Fri, Nov 4, 2016 at 6:28 AM, Tom Storey <tom at snnap.net> wrote:
> A second scenario arises, this time related to accounting of commands
> executed on devices.
>
> Using this config:
>
> aaa authentication enable default enable
> aaa authentication login default tacacs+ local
> aaa authorization commands 0 default tacacs+
> aaa authorization exec default tacacs+
> aaa accounting commands 0 default start-stop tacacs+
> aaa accounting exec default start-stop tacacs+
> aaa accounting system default start-stop tacacs+
>
> and according to this web page (for example):
>
> http://www.brocade.com/content/html/en/configuration-guide/fastiron-08040-
> securityguide/GUID-C9E9CEB6-582C-44BF-8047-3CD14483CF5C.html
>
> then my config should be authorising and accounting all commands entered
> on the device. But what I am seeing is that after enabling, nothing else
> happens between the device and the TACACS server, e.g. heres what I did:
>
> $ ssh 192.168.100.180
> Password:
> SSH at ICX6450-48 Router>en
> Enable Password:
> SSH at ICX6450-48 Router#config t
> SSH at ICX6450-48 Router(config)#int ethe 1/1/4
> SSH at ICX6450-48 Router(config-if-e1000-1/1/4)#disable
>
> but this is all that was accounted for:
>
> Nov 4 12:11:45 192.168.100.180 tomstorey tty11 192.168.100.178 start
> task_id=12 timezone=Alaska service=shell
> Nov 4 12:11:53 192.168.100.180 tomstorey tty11 192.168.100.178 stop
> task_id=1 timezone=Alaska service=shell priv-lvl=0 cmd=enable <cr>
>
> Any pointers?
>
> Thanks again!
> Tom
>
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp
>
--
E-Mail to and from me, in connection with the transaction
of public business, is subject to the Wyoming Public Records
Act and may be disclosed to third parties.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/foundry-nsp/attachments/20161115/4881ef00/attachment.html>
More information about the foundry-nsp
mailing list