<div dir="ltr"><div>What version of tacacs are you using? What version of code on the ICX? The relevant command is:<br><br>aaa accounting commands 0 default start-stop tacacs+<br><br></div>Which I have on my gear, and I just tested it. It works. Well, my timezone is also Alaska which is weird, which it isn't and it weird. The only thing I can think of is that perhaps it's your enable - I send priv-lvl 15 (or brocade-privlvl 1). Netirons will ask for your username when you enable, implying that Brocade doesn't store username when it enables. Maybe that is why it doesn't log it. <br></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Nov 4, 2016 at 6:28 AM, Tom Storey <span dir="ltr"><<a href="mailto:tom@snnap.net" target="_blank">tom@snnap.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">A second scenario arises, this time related to accounting of commands executed on devices.<div><br></div><div>Using this config:</div><div><br></div><div><div style="font-size:12.8px">aaa authentication enable default enable</div><div style="font-size:12.8px">aaa authentication login default tacacs+ local</div><div style="font-size:12.8px">aaa authorization commands 0 default tacacs+</div><div style="font-size:12.8px">aaa authorization exec default tacacs+</div><div style="font-size:12.8px">aaa accounting commands 0 default start-stop tacacs+</div><div style="font-size:12.8px">aaa accounting exec default start-stop tacacs+</div><div style="font-size:12.8px">aaa accounting system default start-stop tacacs+</div></div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">and according to this web page (for example):</div><div style="font-size:12.8px"><br></div><div><span style="font-size:12.8px"><a href="http://www.brocade.com/content/html/en/configuration-guide/fastiron-08040-securityguide/GUID-C9E9CEB6-582C-44BF-8047-3CD14483CF5C.html" target="_blank">http://www.brocade.com/<wbr>content/html/en/configuration-<wbr>guide/fastiron-08040-<wbr>securityguide/GUID-C9E9CEB6-<wbr>582C-44BF-8047-3CD14483CF5C.<wbr>html</a></span><br></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">then my config should be authorising and accounting all commands entered on the device. But what I am seeing is that after enabling, nothing else happens between the device and the TACACS server, e.g. heres what I did:</span></div><div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">$ ssh 192.168.100.180</span></div><div><span style="font-size:12.8px">Password:</span></div><div><span style="font-size:12.8px">SSH@ICX6450-48 Router>en</span></div><div><span style="font-size:12.8px">Enable Password:</span></div><div><span style="font-size:12.8px">SSH@ICX6450-48 Router#config t</span></div><div><span style="font-size:12.8px">SSH@ICX6450-48 Router(config)#int ethe 1/1/4</span></div><div><span style="font-size:12.8px">SSH@ICX6450-48 Router(config-if-e1000-1/1/4)#<wbr>disable</span></div></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">but this is all that was accounted for:</span></div><div><span style="font-size:12.8px"><br></span></div><div><div><span style="font-size:12.8px">Nov 4 12:11:45<span class="m_8174771957156996775gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>192.168.100.180<span class="m_8174771957156996775gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>tomstorey<span class="m_8174771957156996775gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>tty11<span class="m_8174771957156996775gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>192.168.100.178<span class="m_8174771957156996775gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>start<span class="m_8174771957156996775gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>task_id=12<span class="m_8174771957156996775gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>timezone=Alaska<span class="m_8174771957156996775gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>service=shell</span></div><div><span style="font-size:12.8px">Nov 4 12:11:53<span class="m_8174771957156996775gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>192.168.100.180<span class="m_8174771957156996775gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>tomstorey<span class="m_8174771957156996775gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>tty11<span class="m_8174771957156996775gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>192.168.100.178<span class="m_8174771957156996775gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>stop<span class="m_8174771957156996775gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>task_id=1<span class="m_8174771957156996775gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>timezone=Alaska<span class="m_8174771957156996775gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>service=shell<span class="m_8174771957156996775gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>priv-lvl=0<span class="m_8174771957156996775gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>cmd=enable <cr></span></div><div><br></div><div>Any pointers?</div></div><div><br></div><div>Thanks again!</div><span class="HOEnZb"><font color="#888888"><div>Tom</div></font></span></div>
<br>______________________________<wbr>_________________<br>
foundry-nsp mailing list<br>
<a href="mailto:foundry-nsp@puck.nether.net">foundry-nsp@puck.nether.net</a><br>
<a href="http://puck.nether.net/mailman/listinfo/foundry-nsp" rel="noreferrer" target="_blank">http://puck.nether.net/<wbr>mailman/listinfo/foundry-nsp</a><br></blockquote></div><br></div>
<br>
<br>E-Mail to and from me, in connection with the transaction <br>of public business, is subject to the Wyoming Public Records <br>Act and may be disclosed to third parties.<br>