AAA Authentication on Cisco IOS

Hello Azm

Let’s say I have a router on site and I want to keep track of all of the command line activity. Specifically, I want to monitor all of the commands that are entered in the executive mode command line and the processes they invoke. Since I have a TACACS+ server on site, I decide to use that as my accounting server. (I can use RADIUS as well). Lets say I have two TACACS+ servers at 10.10.10.31 and 10.10.10.32.

The first thing I would do is create an AAA group called my_server_group using the following commands:

aaa group server tacacs+ my_server_group 
  server 10.10.10.31
  server 10.10.10.32

Next, I would issue the following command to initiate accounting:

aaa accounting exec default start-stop group my_server_group

So, every time someone logs in to the command line and types enable every additional command is sent to the accounting server and is recorded. For example, if I entered the command line and entered:

show running-config

the router would send the following information to the configured TACACS+ server:

Time of command, issuer of command (user name), the command itself, time when the process has been completed.

Note that the start-stop keyword will send two times to the accounting server, the time the process was initiated, that is, when the command was entered, and the time when the process completed. The stop-only keyword can be used to give only the time of the ending of the process. Most processes are almost instantaneous, however, some may take seconds or even tens of seconds depending on the command.

So the TACACS+ server will accumulate a log of all of these events, their times and their details so that in the future, if the network goes down because of a mistake in command line commands, you can know who to blame :slight_smile:.

The other commands are just permutations of this command and just changes what is recorded and how it is recorded.

I hope this has been helpful!

Laz

2 Likes