[f-nsp] AAA accounting

Tom Storey tom at snnap.net
Wed Nov 16 06:17:15 EST 2016 

Hi Daniel,

Im using tacacs-F4.0.4.28 from shrubbery.net.

I have the same configuration on my boxes. It seems that after enabling via
TACACS+, or if logging in already enabled, commands are accounted.

When I tested by logging in to a device via TACACS and then enable using a
local enable password, commands entered after enabling were not accounted.

After some discussion I believe we are now going to proceed with enabled at
login, so this may not be as much of an issue now, but perhaps could help
others in the future.

Thanks
Tom

On 15 November 2016 at 17:19, Daniel Schmidt <daniel.schmidt at wyo.gov> wrote:

> What version of tacacs are you using?  What version of code on the ICX?
> The relevant command is:
>
> aaa accounting commands 0 default start-stop tacacs+
>
> Which I have on my gear, and I just tested it.  It works.  Well, my
> timezone is also Alaska which is weird, which it isn't and it weird.  The
> only thing I can think of is that perhaps it's your enable - I send
> priv-lvl 15 (or brocade-privlvl 1).  Netirons will ask for your username
> when you enable, implying that Brocade doesn't store username when it
> enables.  Maybe that is why it doesn't log it.
>
> On Fri, Nov 4, 2016 at 6:28 AM, Tom Storey <tom at snnap.net> wrote:
>
>> A second scenario arises, this time related to accounting of commands
>> executed on devices.
>>
>> Using this config:
>>
>> aaa authentication enable default enable
>> aaa authentication login default tacacs+ local
>> aaa authorization commands 0 default tacacs+
>> aaa authorization exec default tacacs+
>> aaa accounting commands 0 default start-stop tacacs+
>> aaa accounting exec default start-stop tacacs+
>> aaa accounting system default start-stop tacacs+
>>
>> and according to this web page (for example):
>>
>> http://www.brocade.com/content/html/en/configuration-guide/
>> fastiron-08040-securityguide/GUID-C9E9CEB6-582C-44BF-8047-
>> 3CD14483CF5C.html
>>
>> then my config should be authorising and accounting all commands entered
>> on the device. But what I am seeing is that after enabling, nothing else
>> happens between the device and the TACACS server, e.g. heres what I did:
>>
>> $ ssh 192.168.100.180
>> Password:
>> SSH at ICX6450-48 Router>en
>> Enable Password:
>> SSH at ICX6450-48 Router#config t
>> SSH at ICX6450-48 Router(config)#int ethe 1/1/4
>> SSH at ICX6450-48 Router(config-if-e1000-1/1/4)#disable
>>
>> but this is all that was accounted for:
>>
>> Nov  4 12:11:45 192.168.100.180 tomstorey tty11 192.168.100.178 start
>> task_id=12 timezone=Alaska service=shell
>> Nov  4 12:11:53 192.168.100.180 tomstorey tty11 192.168.100.178 stop
>> task_id=1 timezone=Alaska service=shell priv-lvl=0 cmd=enable <cr>
>>
>> Any pointers?
>>
>> Thanks again!
>> Tom
>>
>> _______________________________________________
>> foundry-nsp mailing list
>> foundry-nsp at puck.nether.net
>> http://puck.nether.net/mailman/listinfo/foundry-nsp
>>
>
>
>
> E-Mail to and from me, in connection with the transaction
> of public business, is subject to the Wyoming Public Records
> Act and may be disclosed to third parties.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/foundry-nsp/attachments/20161116/41ad9270/attachment-0001.html>

More information about the foundry-nsp mailing list