Wednesday, February 28, 2018

TACACS accounting and ISE

Is there a way to send ALL commands, not just exec or certain priv levels to your TACACS servers through accounting? I am not seeing any accounting logs in our ISE 2.3 server and don't know where I am missing something - whether in the router config or in ISE itself. Authentication and Authorization are working fine... just nothing for accounting. Here is my overboard accounting config...

aaa accounting exec default start-stop group tacacs+ - This should only send priv exec commands... right?

aaa accounting commands 0 default start-stop group tacacs+ - anything above priv 0 should be sent?

aaa accounting commands 1 default start-stop group tacacs+ - Same as above but 1??

aaa accounting commands 15 default start-stop group tacacs+ - Same as above but 15??

Been awhile since we have done TACACS, we have been an NPS shop for a bit...



No comments:

Post a Comment