Problem in ACS4.1 and user monitoring
I have a ACS 4.1 and many routers, I set radius protocol between my routers and ACS and now I can it, but I need to config routers and ACS for this :
If a user telnet to router I can see all commands which he type in telnet consol
for example if User1 authenticated and type en and password and then type show run I can see all his action in ACS log my router config is:
aaa authentication login default group radius local
aaa authorization exec default group radius local
aaa authorization network default group radius if-authenticated
aaa accounting exec default start-stop group radius
aaa session-id common
username poweruser privilege 15 password power
ip radius source-interface Fastethernet0/0
radius-server host 192.168.1.5 auth-port 1645 acct-port 1646 key test
and I select all fields for all logs but I see only start and stop settion
Could you help me?
I would suggest switching from Radius to Tacacs. Radius is not as useful for router management. Tacacs+ gives you more options & in addition control over which CLI can or cannot be executed as well
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ none
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+
aaa authorization commands 10 default group tacacs+
aaa authorization commands 15 default group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 10 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
As ladino mentioned, what you are trying to achieve is part of TACACS+ functionality. Therefore you should deploy TACACS+ instead of RADIUS. Check out more info on TACACS+ and RADIUS in the following FAQ link.
»Cisco Forum FAQ »Securing access to routers with AAA commands
|reply to kamal1352 |
Thank you, I set it and change Protocol from Radius to Tacacs+ and I can see start and stop connection accounting in ACS report log but I cannot see the command which I input in router consol for example show run and etc..
How can I see those? and whitch item I set in ACS 4.1 (I add cmd and cmd-arg in Tacacs report)?
Did you click the correct GUI button?
Reports and Activity - TACACS Administration - TACACS Administration active.csv
|reply to kamal1352 |
Many Thanks, I change my ACS server anf reinstall it and set as told me Radius to Tacacs then it was resolved my problem
Good to hear that you got it working. However you did not need to reinstall ACS in order to switch from Radius to Tacacs+. You could have simply made the change under the Network Configuration for the AAA client authentication