<div dir="ltr">Hi Daniel,<div><br></div><div>Im using tacacs-F4.0.4.28 from <a href="http://shrubbery.net">shrubbery.net</a>.</div><div><br></div><div>I have the same configuration on my boxes. It seems that after enabling via TACACS+, or if logging in already enabled, commands are accounted.</div><div><br></div><div>When I tested by logging in to a device via TACACS and then enable using a local enable password, commands entered after enabling were not accounted.</div><div><br></div><div>After some discussion I believe we are now going to proceed with enabled at login, so this may not be as much of an issue now, but perhaps could help others in the future.</div><div><br></div><div>Thanks</div><div>Tom</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 15 November 2016 at 17:19, Daniel Schmidt <span dir="ltr"><<a href="mailto:daniel.schmidt@wyo.gov" target="_blank">daniel.schmidt@wyo.gov</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>What version of tacacs are you using? What version of code on the ICX? The relevant command is:<span class=""><br><br>aaa accounting commands 0 default start-stop tacacs+<br><br></span></div>Which I have on my gear, and I just tested it. It works. Well, my timezone is also Alaska which is weird, which it isn't and it weird. The only thing I can think of is that perhaps it's your enable - I send priv-lvl 15 (or brocade-privlvl 1). Netirons will ask for your username when you enable, implying that Brocade doesn't store username when it enables. Maybe that is why it doesn't log it. <br></div><div class="gmail_extra"><br><div class="gmail_quote"><span class="">On Fri, Nov 4, 2016 at 6:28 AM, Tom Storey <span dir="ltr"><<a href="mailto:tom@snnap.net" target="_blank">tom@snnap.net</a>></span> wrote:<br></span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5"><div dir="ltr">A second scenario arises, this time related to accounting of commands executed on devices.<div><br></div><div>Using this config:</div><div><br></div><div><div style="font-size:12.8px">aaa authentication enable default enable</div><div style="font-size:12.8px">aaa authentication login default tacacs+ local</div><div style="font-size:12.8px">aaa authorization commands 0 default tacacs+</div><div style="font-size:12.8px">aaa authorization exec default tacacs+</div><div style="font-size:12.8px">aaa accounting commands 0 default start-stop tacacs+</div><div style="font-size:12.8px">aaa accounting exec default start-stop tacacs+</div><div style="font-size:12.8px">aaa accounting system default start-stop tacacs+</div></div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">and according to this web page (for example):</div><div style="font-size:12.8px"><br></div><div><span style="font-size:12.8px"><a href="http://www.brocade.com/content/html/en/configuration-guide/fastiron-08040-securityguide/GUID-C9E9CEB6-582C-44BF-8047-3CD14483CF5C.html" target="_blank">http://www.brocade.com/content<wbr>/html/en/configuration-guide/<wbr>fastiron-08040-securityguide/<wbr>GUID-C9E9CEB6-582C-44BF-8047-<wbr>3CD14483CF5C.html</a></span><br></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">then my config should be authorising and accounting all commands entered on the device. But what I am seeing is that after enabling, nothing else happens between the device and the TACACS server, e.g. heres what I did:</span></div><div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">$ ssh 192.168.100.180</span></div><div><span style="font-size:12.8px">Password:</span></div><div><span style="font-size:12.8px">SSH@ICX6450-48 Router>en</span></div><div><span style="font-size:12.8px">Enable Password:</span></div><div><span style="font-size:12.8px">SSH@ICX6450-48 Router#config t</span></div><div><span style="font-size:12.8px">SSH@ICX6450-48 Router(config)#int ethe 1/1/4</span></div><div><span style="font-size:12.8px">SSH@ICX6450-48 Router(config-if-e1000-1/1/4)#<wbr>disable</span></div></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">but this is all that was accounted for:</span></div><div><span style="font-size:12.8px"><br></span></div><div><div><span style="font-size:12.8px">Nov 4 12:11:45<span class="m_-4851505657042831198m_8174771957156996775gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>192.168.100.180<span class="m_-4851505657042831198m_8174771957156996775gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>tomstorey<span class="m_-4851505657042831198m_8174771957156996775gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>tty11<span class="m_-4851505657042831198m_8174771957156996775gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>192.168.100.178<span class="m_-4851505657042831198m_8174771957156996775gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>start<span class="m_-4851505657042831198m_8174771957156996775gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>task_id=12<span class="m_-4851505657042831198m_8174771957156996775gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>timezone=Alaska<span class="m_-4851505657042831198m_8174771957156996775gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>service=shell</span></div><div><span style="font-size:12.8px">Nov 4 12:11:53<span class="m_-4851505657042831198m_8174771957156996775gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>192.168.100.180<span class="m_-4851505657042831198m_8174771957156996775gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>tomstorey<span class="m_-4851505657042831198m_8174771957156996775gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>tty11<span class="m_-4851505657042831198m_8174771957156996775gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>192.168.100.178<span class="m_-4851505657042831198m_8174771957156996775gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>stop<span class="m_-4851505657042831198m_8174771957156996775gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>task_id=1<span class="m_-4851505657042831198m_8174771957156996775gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>timezone=Alaska<span class="m_-4851505657042831198m_8174771957156996775gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>service=shell<span class="m_-4851505657042831198m_8174771957156996775gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>priv-lvl=0<span class="m_-4851505657042831198m_8174771957156996775gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>cmd=enable <cr></span></div><div><br></div><div>Any pointers?</div></div><div><br></div><div>Thanks again!</div><span class="m_-4851505657042831198HOEnZb"><font color="#888888"><div>Tom</div></font></span></div>
<br></div></div><span class="">______________________________<wbr>_________________<br>
foundry-nsp mailing list<br>
<a href="mailto:foundry-nsp@puck.nether.net" target="_blank">foundry-nsp@puck.nether.net</a><br>
<a href="http://puck.nether.net/mailman/listinfo/foundry-nsp" rel="noreferrer" target="_blank">http://puck.nether.net/mailman<wbr>/listinfo/foundry-nsp</a><br></span></blockquote></div><br></div>
<br>
<br>E-Mail to and from me, in connection with the transaction <br>of public business, is subject to the Wyoming Public Records <br>Act and may be disclosed to third parties.<br></blockquote></div><br></div>