(RADIATOR) AAA issue. Cisco not forwarding Accounting packets to Syslog

Colin D. Easton ceaston at attcanada.ca
Thu Jul 26 12:09:59 CDT 2001 

Hi all,

Here's a template AAA config on our Cisco 3662:

aaa new-model

radius-server host  10.0.0.1  auth-port 1812  acct-port 1813 key secret
radius-server retransmit 3     ! 
radius-server timeout  6       !  default = 5 seconds
radius-server deadtime 1       ! default = ? minutes

tacacs-server host 10.0.0.1 key secret
tacacs-server timeout 6        ! default
	
aaa authentication login   default radius local
aaa authentication login   NO_AUTHEN none
aaa authentication enable default group radius enable


aaa authorization network         default group radius if-authenticated
aaa authorization exec               default group  radius
if-authenticated
aaa authorization exec               NO_AUTHEN 
aaa accounting exec               default start-stop tacacs+
aaa accounting commands 0  default start-stop tacacs+
aaa accounting commands 1  default start-stop tacacs+
aaa accounting commands 12 default start-stop tacacs+
aaa accounting commands 14 default start-stop tacacs+
aaa accounting commands 15 default start-stop tacacs+
aaa accounting network          default start-stop tacacs+
aaa accounting connection     default start-stop tacacs+
aaa accounting system            default start-stop tacacs+

line con 0
login authorization  NO_AUTHEN

We're attempting to log commands to our Tac_Plus daemon on our Auth
server.
We get the start/stop records for 'logins' to the cisco router but only
stop records for the commands.  We do not get the command which is in
the AAA/Acct record but not the TAC+ record on the Cisco.
I.E. We're supposed to have the AAA record on syslog:

...
10.0.0.2     root        tty0    async   stop    server=authsvr
time=18:10:02   
date=04/17/2000       task_id=52      timezone=CST    service=shell
priv-lvl=15     
cmd=configure terminal <cr>
...

but we don't get the "cmd=<command>" field above which is
wrong/incorrect.

AN AAA debug shows the proper record has been created/formatted and
passed to TAC+:

...
*Apr 17 18:14:45.722 CST: AAA/ACCT/CMD: User root, Port tty0, Priv 15:

         "configure terminal <cr>"

*Apr 17 18:14:45.722 CST: AAA/ACCT/CMD: Found list "default"

*Apr 17 18:14:45.726 CST: AAA/ACCT: user root, acct type 3 (1057208544):

Method=tacacs+ (tacacs+)

*Apr 17 18:14:45.930 CST: TAC+: (1057208544): received acct response
status = SUCCESS
...


Anyone have any exposure/experience here? Please advise.

Colin


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list