Mailing List Archive

AAA accounting
A second scenario arises, this time related to accounting of commands
executed on devices.

Using this config:

aaa authentication enable default enable
aaa authentication login default tacacs+ local
aaa authorization commands 0 default tacacs+
aaa authorization exec default tacacs+
aaa accounting commands 0 default start-stop tacacs+
aaa accounting exec default start-stop tacacs+
aaa accounting system default start-stop tacacs+

and according to this web page (for example):

http://www.brocade.com/content/html/en/configuration-guide/fastiron-08040-securityguide/GUID-C9E9CEB6-582C-44BF-8047-3CD14483CF5C.html

then my config should be authorising and accounting all commands entered on
the device. But what I am seeing is that after enabling, nothing else
happens between the device and the TACACS server, e.g. heres what I did:

$ ssh 192.168.100.180
Password:
SSH@ICX6450-48 Router>en
Enable Password:
SSH@ICX6450-48 Router#config t
SSH@ICX6450-48 Router(config)#int ethe 1/1/4
SSH@ICX6450-48 Router(config-if-e1000-1/1/4)#disable

but this is all that was accounted for:

Nov 4 12:11:45 192.168.100.180 tomstorey tty11 192.168.100.178 start
task_id=12 timezone=Alaska service=shell
Nov 4 12:11:53 192.168.100.180 tomstorey tty11 192.168.100.178 stop
task_id=1 timezone=Alaska service=shell priv-lvl=0 cmd=enable <cr>

Any pointers?

Thanks again!
Tom
Re: AAA accounting [ In reply to ]
What version of tacacs are you using? What version of code on the ICX?
The relevant command is:

aaa accounting commands 0 default start-stop tacacs+

Which I have on my gear, and I just tested it. It works. Well, my
timezone is also Alaska which is weird, which it isn't and it weird. The
only thing I can think of is that perhaps it's your enable - I send
priv-lvl 15 (or brocade-privlvl 1). Netirons will ask for your username
when you enable, implying that Brocade doesn't store username when it
enables. Maybe that is why it doesn't log it.

On Fri, Nov 4, 2016 at 6:28 AM, Tom Storey <tom@snnap.net> wrote:

> A second scenario arises, this time related to accounting of commands
> executed on devices.
>
> Using this config:
>
> aaa authentication enable default enable
> aaa authentication login default tacacs+ local
> aaa authorization commands 0 default tacacs+
> aaa authorization exec default tacacs+
> aaa accounting commands 0 default start-stop tacacs+
> aaa accounting exec default start-stop tacacs+
> aaa accounting system default start-stop tacacs+
>
> and according to this web page (for example):
>
> http://www.brocade.com/content/html/en/configuration-guide/fastiron-08040-
> securityguide/GUID-C9E9CEB6-582C-44BF-8047-3CD14483CF5C.html
>
> then my config should be authorising and accounting all commands entered
> on the device. But what I am seeing is that after enabling, nothing else
> happens between the device and the TACACS server, e.g. heres what I did:
>
> $ ssh 192.168.100.180
> Password:
> SSH@ICX6450-48 Router>en
> Enable Password:
> SSH@ICX6450-48 Router#config t
> SSH@ICX6450-48 Router(config)#int ethe 1/1/4
> SSH@ICX6450-48 Router(config-if-e1000-1/1/4)#disable
>
> but this is all that was accounted for:
>
> Nov 4 12:11:45 192.168.100.180 tomstorey tty11 192.168.100.178 start
> task_id=12 timezone=Alaska service=shell
> Nov 4 12:11:53 192.168.100.180 tomstorey tty11 192.168.100.178 stop
> task_id=1 timezone=Alaska service=shell priv-lvl=0 cmd=enable <cr>
>
> Any pointers?
>
> Thanks again!
> Tom
>
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp@puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp
>

--

E-Mail to and from me, in connection with the transaction
of public business, is subject to the Wyoming Public Records
Act and may be disclosed to third parties.
Re: AAA accounting [ In reply to ]
Hi Daniel,

Im using tacacs-F4.0.4.28 from shrubbery.net.

I have the same configuration on my boxes. It seems that after enabling via
TACACS+, or if logging in already enabled, commands are accounted.

When I tested by logging in to a device via TACACS and then enable using a
local enable password, commands entered after enabling were not accounted.

After some discussion I believe we are now going to proceed with enabled at
login, so this may not be as much of an issue now, but perhaps could help
others in the future.

Thanks
Tom

On 15 November 2016 at 17:19, Daniel Schmidt <daniel.schmidt@wyo.gov> wrote:

> What version of tacacs are you using? What version of code on the ICX?
> The relevant command is:
>
> aaa accounting commands 0 default start-stop tacacs+
>
> Which I have on my gear, and I just tested it. It works. Well, my
> timezone is also Alaska which is weird, which it isn't and it weird. The
> only thing I can think of is that perhaps it's your enable - I send
> priv-lvl 15 (or brocade-privlvl 1). Netirons will ask for your username
> when you enable, implying that Brocade doesn't store username when it
> enables. Maybe that is why it doesn't log it.
>
> On Fri, Nov 4, 2016 at 6:28 AM, Tom Storey <tom@snnap.net> wrote:
>
>> A second scenario arises, this time related to accounting of commands
>> executed on devices.
>>
>> Using this config:
>>
>> aaa authentication enable default enable
>> aaa authentication login default tacacs+ local
>> aaa authorization commands 0 default tacacs+
>> aaa authorization exec default tacacs+
>> aaa accounting commands 0 default start-stop tacacs+
>> aaa accounting exec default start-stop tacacs+
>> aaa accounting system default start-stop tacacs+
>>
>> and according to this web page (for example):
>>
>> http://www.brocade.com/content/html/en/configuration-guide/
>> fastiron-08040-securityguide/GUID-C9E9CEB6-582C-44BF-8047-
>> 3CD14483CF5C.html
>>
>> then my config should be authorising and accounting all commands entered
>> on the device. But what I am seeing is that after enabling, nothing else
>> happens between the device and the TACACS server, e.g. heres what I did:
>>
>> $ ssh 192.168.100.180
>> Password:
>> SSH@ICX6450-48 Router>en
>> Enable Password:
>> SSH@ICX6450-48 Router#config t
>> SSH@ICX6450-48 Router(config)#int ethe 1/1/4
>> SSH@ICX6450-48 Router(config-if-e1000-1/1/4)#disable
>>
>> but this is all that was accounted for:
>>
>> Nov 4 12:11:45 192.168.100.180 tomstorey tty11 192.168.100.178 start
>> task_id=12 timezone=Alaska service=shell
>> Nov 4 12:11:53 192.168.100.180 tomstorey tty11 192.168.100.178 stop
>> task_id=1 timezone=Alaska service=shell priv-lvl=0 cmd=enable <cr>
>>
>> Any pointers?
>>
>> Thanks again!
>> Tom
>>
>> _______________________________________________
>> foundry-nsp mailing list
>> foundry-nsp@puck.nether.net
>> http://puck.nether.net/mailman/listinfo/foundry-nsp
>>
>
>
>
> E-Mail to and from me, in connection with the transaction
> of public business, is subject to the Wyoming Public Records
> Act and may be disclosed to third parties.
>