GANYMEDE accounting

I've implemented a Cisco Secure ACS with Protocol GANYMEDE. We have problems with network connectivity, and whenever this happens GANYMEDE fallsback to the local database. Is it possible to allow the capture of executed orders when the ACS to disconnect. Can be when GBA comes back as these (accounting) commands can be sent to it by the device itself.

My requirement might seem weird. But I am convinced that anything is possible with Cisco :)

What you ask, it is to have the client IOS T + cache commands and then send to the Association once that customer T + can still communicate with ACS. Yes? By IOS T + controls, no, this is not available. The connection T + is going to fail and fall back to either an another T + server or stop sending documents.

The only solution here is to have two ACS servers online and have the drop T-return to the ACS secondary loss of connection to the primary. Then, have the two ACSes before accounting to a third-party server, ACS or syslog. Of course, this assumes that the customer T + is not lose connectivity to two ACSes.

Tags: Cisco Security

Similar Questions

GANYMEDE + accounting issue

Hi all

I would like to know GANYMEDE-accounting option in cisco.

We have deployed AAA machine which is Avenda in our network operation and able to enter orders accounting ONLY for valid orders. The GANYMEDE + also can capture invalid orders and sent to Avenda (our AAA machine)?

Please help clarify.

Hello

It is a device-specific thing. In the case of IOS, it only passes the valid commands to the RADIUS server. Example - If we issue the command 'show the user' it will record it and if we run the command "show dog", it will not be logged.

Hope that helps!

Kind regards

~ JG

Note the useful messages

AS5300 past Ganymede accounting-duration = 0

Hello

We have two AS5300 (IOS 12.2 (15) T2). Everything works fine except that the two NAS often incorrectly reports elapsed time = 0 for asynchronous ppp to the ACS server sessions. Sessions of ISDN is always correct.

I have looked for a cause/explanation, but can't find it. All information will be...

This is the config of aaa:

AAA new-model

!

!

AAA authentication login default group Ganymede +.

AAA authentication login admin group Ganymede + local

AAA authentication against local connection

the AAA authentication enable default group Ganymede + activate

AAA authentication ppp default if necessary to group Ganymede +.

AAA authorization exec default group Ganymede + authenticated if

AAA authorization default LAN authenticated by FIS

AAA accounting network default start-stop Ganymede group.

Default connection accounting AAA power Ganymede group.

AAA - the id of the joint session

radius-server host

radius-server host

RADIUS-server application made

radius-server key

Brgds

Conny

This is probably a bug CSCec30517, where time is elapsed = 0 if the session is not closed correctly (IE, if the user simply off his PC, rather than actually disconnect the session correctly).

Good news is that it is fixed in paragraph 12.2 (15) T7, try the upgrade to that and see how you go.

If you want to check that you touch this BEFORE the upgrade, activate the following debugging:

Debug ppp neg

Debug aaa authentic

Debug aaa author

Debug aaa accounting

debugging Ganymede

For the times when the elapsed time is non-nulle (correct), you should see the following debug just before the GANYMEDE debug:

Sep 8 12:19:57.042: As9 LCP: I have TERMREQ [open] id 7 len 16 (0x795A2E62003CCD7400000000)

Sep 8 12:19:57.042: As9 LCP: O TERMACK [open] id 7 len 4

The TERMREQ is a request for termination by the user, indicating that they properly closed the session. Following GANYMEDE Accoutning debugging should then show as zero time.

If you find an accounting debugging GANYMEDE with time elapsed from scratch, look above it and you probably won't see a request for termination of the user in particular, PPP indicating the authorized call wrong down.

Cisco ACS SE GANYMEDE + accounting fails

Hello

I'm under Cisco ACS SE 4.1.23.5. My problem is that the ACS don't Jrnl of the remote switches. I have configured the following accounting commands:

AAA accounting exec default start-stop Ganymede group.

orders accounting AAA 0 arrhythmic default group Ganymede +.

orders accounting AAA 15 by default start-stop Ganymede group.

Default connection accounting AAA power Ganymede group.

When I enable aaa accounting debugging, I get the following logs on the switch.

001091: 12 sep 12:06:06.464 TSB: AAA/ACCT: user johndoe, acct type 3 (2684940942): method = Ganymede + (Ganymede +)

001092: 12 sep 12:06:06.665 TSB: TAC +: (2684940942): received the status of response acct = SUCCESS

001093: 12 sep 12:06:11.128 TSB: AAA/ACCT/CMD: user johndoe, tty2, 15 private Port:

'show running-config '."

001094: 12 sep 12:06:11.128 TSB: AAA/ACCT/CMD: find the "default" list

001095: 12 sep 12:06:11.346 TSB: AAA/ACCT: user johndoe, acct type 3 (1583033889): method = Ganymede + (Ganymede +)

001096: 12 sep 12:06:12.000 TSB: TAC +: (1583033889): received the status of response acct = SUCCESS

001097: 12 sep 12:08:16.303 TSB: AAA/ACCT/CMD: user johndoe, tty2, 15 private Port:

' configure terminal '."

001098: 12 sep 12:08:16.303 TSB: AAA/ACCT/CMD: find the "default" list

001099: 12 sep 12:08:16.303 TSB: AAA/ACCT: user johndoe, acct type 3 (1098049616): method = Ganymede + (Ganymede +)

001100: 12 sep 12:08:16.504 TSB: TAC +: (1098049616): received the status of response acct = SUCCESS

001101: 12 sep 12:08:29.884 TSB: AAA/ACCT/CMD: user johndoe, tty2, 15 private Port:

It seems that the switch is well a response but the CSA record. I have updated the ACS for the latest patch (4.1.23.5), which is supposed to resolve this known bug.

Is there something that I am missing?

Thank you.

ESD

And what you get in the newspapers of Ganymede Administration?

Kind regards

Prem

AAA GANYMEDE + accounting - CLI question by user not appear in the report of the ACS.

Can I know why CLI cancelled by the user does not show on GANYMEDE ACS accounting report. The length of time is displayed, but I also wanted to connect what is the commands issued by the user.

WHA is missing here?

enable AAA authentication login VTY P1_ACS local group

Group default AAA authorization exec local P1_ACS authenticated by FIS

AAA authorization exec CONSOLE none

AAA exec by default start-stop accounting P1_ACS group

AAA commands 5 default start-stop accounting P1_ACS group

AAA commands 15 arrhythmic default accounting P1_ACS group

Accounting logs command is stroed in the newspapers of the administration of Ganymede.

There is also a known issue on ver 4.1.1 and we must

apply the ACS 4.1.1.23.5 patch to fix the problem.

Patch for the unit is available on

http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-Soleng-3DES

The patch name: ACS SE 4.1.1.23.5 rollup

Acs hotfix for windows is available on

http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-win-3DES

The patch name: ACS 4.1.1.23.5 rollup

CCIE Security

Accounting control GANYMEDE

Hello

We have set up accoutnig in our network devices. But orders that users type does not appear in the section GANYMEDE + accounting. We use the ACS 4.1se and orders of posting to the devices are given below.

AAA accounting exec default start-stop Ganymede group.

orders accounting AAA 1 by default start-stop Ganymede group.

orders accounting AAA 15 by default start-stop Ganymede group.

Help, please

Command accounting logs are stored in the newspapers of the administration of Ganymede. There is also a known issue on ver 4.1.1 and we must apply the ACS 4.1.1.23.5 patch to fix the problem.

Patch for the unit is available on

http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-Soleng-3DES

The patch name: ACS SE 4.1.1.23.5 rollup

Acs hotfix for windows is available on

http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-win-3DES

The patch name: ACS 4.1.1.23.5 rollup

Kind regards

~ JG

Note the useful messages

AAA accounting report is not with issued orders.

Hello everyone, I have a problem with the AAA accounting on my ACS 4.0 device. When I view the posting journal lists the connections, protocols and addresses IP but not the commands executed on the specific switch. When I debug AAA accounting I see ouput but when I debug Ganymede accounting I see nothing. An exammple of my config is:

AAA new-model

AAA group Ganymede Server + ACS

Server [ip address here]

Server [ip address here]

AAA accounting exec by default start-stop group ACS

AAA accounting command 0 arrhythmic group ACS

orders accounting AAA 15 start-stop ACS group

RADIUS-server key [here].

I left on the framework for the authentication of the configuration (in the example above) that it works very well.

Someone at - it ideas why the actual orders are not be captured on GBA?

Thanks in advance.

GBA, accounting of the order must be recorded in the Administration of GANYMEDE + do not connect not the journal GANYMEDE + accounting! Don't ask me why, what just. At least it is on my own and took me a while to discover as well.

Hope this helps

Concerning

Mike

GANYMEDE + records of command problems

All,

Working on a problem I'll have get record installation for my switch / router infrastructure. Here's my config authentication works, the two console & SSH. Authorization is also working. Some of my accounting functions work, like GANYMEDE + successful connections, but all my logging features of command do not work correctly.

I am running ACS V4.1. In addition, what is the difference between using named auth / accounting of lists and by default? Is it fair that I need to apply some interfaces, where the default value is applied to all interfaces?

Configs:

AAA new-model

AAA SSH authentication connection group Ganymede + local
local authentication AAA CONSOLE connection
authorization AAA console
local CONSOLE AAA authorization exec
exec authorization AAA SSH group Ganymede +.
network of local AAA CONSOLE authorization
authorization for AAA network SSH group Ganymede +.
exec accounting AAA SSH start-stop group Ganymede +.
AAA accounting command 0 SSH start-stop group Ganymede +.
AAA accounting command SSH 1 start-stop Ganymede group.
AAA accounting command SSH 15 group arrhythmic Ganymede +.
network accounting AAA SSH start-stop group Ganymede +.

access-list 1 permit X.X.56.0 0.0.0.255
GANYMEDE-server host X.X.X.X XXXXXXXXXXXXX key
RADIUS-server timeout 30
RADIUS-server application made
!
control plan
!
!
Line con 0
session-timeout 10
exec authorization CONSOLE
the CONSOLE connection authentication
line vty 0 4
session-timeout 10
access-class 1
exec authorization SSH
accounting of the SSH commands 0
accounting controls 1 SSH
SSH 15 orders accounting
accounting SSH exec
the SSH connection authentication
entry ssh transport
line vty 5 15
session-timeout 10
access-class 1
exec authorization SSH
accounting of the SSH commands 0
accounting controls 1 SSH
SSH 15 orders accounting
accounting SSH exec
the SSH connection authentication
entry ssh transport

Any help is appreciated.

Thank you!

Jon

Hi Jon,

Could you let us know the exact version of the CSA? If it's the ACS 4.1.1.23, then you would have to apply the latest patch from FAC as there is a bug in ACS 4.1.1.23 in what order accountant does not work.

Here is the information about the bug:

CSCsg97429:

GANYMEDE + accounting command does not work in ACS 4.1 Build 23 (1).

Symptom:

GANYMEDE + accounting command does not work in ACS 4.1 Build 23 (1).
No accounts appear in the log of Administration GANYMEDE +.

Conditions:

Accounting command is configured on the NAS server. After the seizure of the orders on the NAS
no record is visible in the Administration GANYMEDE log file +. Debugs on the show NAS
files sent and they get to the ACS server, but if
log file is not updated.

Administrator command accounting Pix 515

Hello

Is there a way to connect firewall admin commands issued to the firewall? As for example, send to a GANYMEDE Server +?

Thanks for the help.

Hello noipt,

Accounting command can be configured ONLY in PIX v7.x. In addition, looks not - show only orders will be sent.

By the order No.

Accounting messages to the GANYMEDE + accounting server when you enter one command other display commands in the CLI, use the command of control accounting aaa in global configuration mode.

AAA accounting command

http://www.Cisco.com/univercd/CC/TD/doc/product/multisec/asa_sw/v_7_2/cmd_ref/a1_711.htm#wp1428200

For version 6.x.

Authentication and authorization in order for PIX 6.2

http://www.Cisco.com/warp/public/110/pix_command.shtml#accounting

There is no command available real accounts, but in having enabled on the PIX of syslog, you can see what steps have been made, as shown in this example:

307002: allows connection of the 172.18.124.111 Telnet session

111006: connection to pixtest to the console console

611103: user disconnected: Uname: pixtest

307002: allows connection of the 172.18.124.111 Telnet session

111006: connection to pixtest to the console console

502103: user priv level changed: Uname: pixtest of: 1:15

111008: user 'pixtest' command 'enable '.

111007: configuration Begin: 172.18.124.111 reading of the terminal

111008: user 'pixtest' run the command "configure t."

111008: user 'pixtest' run the command "write t.

I hope this helps! If Yes, please rate.

Thank you

AAA problem in access to the switch console

Hi all

I have configured the aaa as orders below:

RADIUS-server host xxxxxx
RADIUS-server application made
RADIUS-server key xxxxxx

AAA new-model

AAA new-model
AAA authentication login default local
AAA authentication login techop group Ganymede + local
the AAA authentication enable default group Ganymede + activate
AAA authorization exec default group Ganymede + local
AAA authorization commands 1 default group Ganymede + local
AAA authorization commands 15 default group Ganymede + local
AAA accounting exec default start-stop Ganymede group.
only AAA 1 default stop accounting controls group Ganymede +.
accounting AAA commands default 15 stop only Ganymede group.
AAA - the id of the joint session

line vty 0 15
connection of authentication techop

GANYMEDE works fine for ssh, but when I am trying to switch console
I am able to connect in exec mode but when go ask password enable
the switch does not take any password (either Ganymede or local credentials).
I am also able to connect via console by powers exec mode the
and not by the credentials of the RADIUS server.

Temp > en
password:
% Authentication failure.

Hey,.

Please share:

Debug aaa authentication

Debug aaa authorizarion

debugging Ganymede +.

Concerning

Ed

The AAA reports

Hi, need to provide an ACS reports that will include all orders captured on barrier-lights/switches/routers.

Installation successfully acs for these network devices, basic AAA is work, can connect has failed/past authentications, different levels of authentication has been correctly configured, but I see only the orders that were denied in reports, (have tested different user levels). How can I configure the AAA sign orders enterend e.g. network device admins?

Hi Ganesh, thanks for reply.

Unfortunately i am still unable to see executed commands in tacacs+ accounting report. I have all report fields enabled, configuration is the same as you suggested but still no luck. I setup shell command authorization set and can see if readonly users (which has rights to run only commands in readonly authorization set) trying to execute commands they are not authorize to run but cannot see all commands executed on the switch.

This is really important to have a record who and when initiated what commands on network devices.

07/16/2010,09:18:30,AAAServer,GRoup,SWITCHES,CAT3560-T,UserName,192.168.182.1,start,15,,,,,,2,(Default),,,shell,,,,,,,,,,,,,,UTC,,,,,,,,,,,,,,,,,,,,,,,,No,Login,1,6,192.168.182.20,tty1

Any other suggestions?

Hello

If your version of ACS is 4.1 GANYMEDE + accounting command no longer works. No accounting is visible in the journal of Administration GANYMEDE + (bug CSCsg97429).

Click on this link if you use ACS Solution Engine: http://www.cisco.com/pcgi-bin/tablebuild.pl/acs-soleng-3des?psrtdcat20e2 and download:

applAcs_4.1.1.23_ACS - 4.1 - CSTacacs -CSCsg97429.zip

Hope to help!

Ganesh.H

Don't forget to note the useful message

5.2 of the ACS and Cisco ACE RBAC does not...

Would be grateful for help here if it can be provided.

I am configuring GANYMEDE auth for a Cisco ACE through our 5.2 ACS server. I think that I installed everything correctly but when I connect with my GANYMEDE account it gives me only monitor network privileges.

This is the Configuration of ACE, I use:

XXXXXXXX, host 1.1.1.1 key radius-server

XXXXXXXX, host 2.2.2.2 key radius-server

RADIUS-server timeout 10

RADIUS-server deadtime 30

!

AAA group Ganymede Server + ACS

Server 1.1.1.1

2.2.2.2 Server

output

!

AAA authentication login default group local ACS

AAA authentication login console Group local ACS

Default accounting AAA group ACS

!

This is the Configuration of the ACS:

When I connect to the ACE I see authenticating and pulling the right group of the ACS journal:

Connected to the ACS status details user peripheral name server device name group Service identity store identity network access group

Apr 8:57:40.566 30.13 AM xxxckxxx

AFA-ACE-internal

Device Type: all device Types: load balance devices, network, location: Cameron Enterprises: Oklahoma: Data Center - 1 unit Access.TACACS

AD1 all groups: administrator - full HAPP-CSACS

Apr 8:52:20.256 30.13 AM xxxckxxx

AFA-ACE-internal

Device Type: all device Types: load balance devices, network, location: Cameron Enterprises: Oklahoma: Data Center - 1 unit Access.TACACS

AD1 all groups: administrator - full xxx movies

Apr 8:43:43.276 30.13 AM xxxckxxx

AFA-ACE-internal

Device Type: all device Types: load balance devices, network, location: Cameron Enterprises: Oklahoma: Data Center - 1 unit Access.TACACS

AD1 all groups: administrator - full xxx movies

But when I log in AS and do a show users that I get:

* xxxckxxx Dev_VC pts/2 Apr 30 09:57 (x.x.x.x) monitor-network-default domain

I've searched for days to find a solution for this with no luck. Any help would be greatly appreciated.

Thank you.

Well, it should work effectively at the same time.

Could you please check the GANYMEDE of ACS logs and check the newspaper correct PROFILE of SHELL (Shell Administrator profile-material) are selected.

This can be checked by virtue:

Monitoring & reports > Reports > Catalog > AAA Protocol > authorization Ganymede

They provide an output of

Field of Show running-config

Would appreciate if you can share the result here.

Jatin kone

-Does the rate of useful messages-

Cannot establish connection/local authorization on 6500's

I have a need to allow a small group of level-15 users temporary access to several 6500

switches (12.2 - 33 SXJ2 code execution), but do not want to provide the password secret enable that is used on the

the rest of the network (over 1200 devices). I tried to eliminate the AAA using the command "no aaa new-model", but I was told that I could not remove aaa while there are active sessions, and 'local connection' appeared more as an option for the vty lines. So, I created a database of local user, called the 'support' that I used to replace the entry 'group' in sections of the authentication and authorization of our AAA config and connection on vty 0 4.

[The username is given a privilege level of 15 with an individual password for authentication. (e.g. username privilege 15 password 0 xxxxx jsmith)]

I changed our AAA configuration to support the local login, but could not establish a "mode" (i.e. the prompt #) with any account. I have

can log on locally, but only to a normal "user mode" (i.e. > prompt).

Here is the config current, modified, and sanitized for our AAA sections and line vty 0 4. Please tell me what needs

for the stay, and what to go. Thank you!

P.S.: for reasons of security, we want to track individual activity, so need the accounting AAA part to stay.

AAA new-model
AAA server Ganymede group + XXXXXX
Server xxx.xxx.xxx.xxx
Server xxx.xxx.xxx.xxx
!
enable AAA authentication login default group XXXXXX
the AAA authentication enable default
default AAA authorization exec XXXXXX group no
AAA authorization commands 15 default authenticated if
AAA authorization network default group XXXXXX no
authorization AAA MLPPP-PPP network no
MLPPP AAA authorization network no
AAA accounting exec by default start-stop group XXXXXX
AAA accounting command 15 default start-stop group XXXXXX
AAA accounting network default start-stop group XXXXXX
AAA accounting connection by default start-stop group XXXXXX
AAA accounting system by default start-stop group XXXXXX
!
line vty 0 4
access-class 75
exec-timeout 15 0
privilege level 0
password 7 xxxxxxxxxxxxxxxxxxx
entry ssh transport

I'll have to probably more information until I can provide more help but since I see in the snip-it, you have configured aaa and your AAA server is a GANYMEDE server +. If this is the case you should keep in mind the following:

1. If the authentication/authorization commands refer to the GANYMEDE group + then you will need to add a 'local' at the end of the command. This will allow local accounts to use when the AAA server is down/unavailable

2. keep in mind that local users will ONLY be used when the AAA server is down/unavailable. You cannot have a mixture of the two

Question, since you have a GANYMEDE server +, why don't you just create temporary accounts directly on the server GANYMEDE + accounts vs local? You can get very granular like that and don't allow some commands on some devices, during a certain time of day, etc...

I hope this helps and thank you for the rating!

Total connection time how to account with GANYMEDE.

Hi, we have the following scenario, this company uses two methods for remote access (for employees only): through RAS connections, or by using VPN clients to connect to a 535 PIX over the Internet. We need to do accounting for the total connection time, in the case of RAS connections is easy, we run AAA GANYMEDE + between the RA and the ACS (ver 2.1) and check the start/end time. But with the Internet connection start/stop time reflects the total time for each connection by user i.e. telnet, snmp, ftp, etc. but what connections can be simultaneous (or not), so we can not just add every time total of connections to a single user, it could be greater than the actual time that this user has been really connected. So how could account us for in this case total connection time?

Thanks in advance for your recommendations

Unfortunately you don't have. Accounting for users in the PIX VPN is on the Board to design for some time now, but so far has not been implemented. You can check the status on bug ID CSCdu01327 for other updates.

GANYMEDE + and local account

Hi all... Im trying to set up my cisco switch do not use the local account if the RADIUS server is in place. Here's what I have so far... Thank you

AAA new-model
AAA authentication login default group Ganymede + local
AAA authorization config-commands
AAA authorization exec default group Ganymede + authenticated if
AAA authorization commands 15 default group Ganymede + local
AAA accounting send stop-record an authentication failure
orders accounting AAA 1 by default start-stop Ganymede group.
orders accounting AAA 15 by default start-stop Ganymede group.

The current configuration that you will work in your favor.

AAA authentication login default group Ganymede + local

This command indicates the user can connect through //password local username if Ganymede server goes down.

Conclusion: local user will not be able to authenticate in the presence of RADIUS server.

HTH

Regds, jousset

Note the useful posts ~

GANYMEDE accounting

Similar Questions

CSCsg97429:

Maybe you are looking for