TACACS authentication for Cisco switch is being done against Clearpass. We have enabled TACACS accounting to Clearpass as well and see the accounting records in Clearpass. The accounting records contain details about the commands executed in the CLI of the switch after logging in successfully. However when we try to generate a TACACS authentication report, we see that the commands executed in privileged mode do not show up in the report.
Verify that the commands are showing up in the accounting data from Monitoring > Live Monitoring > Accounting.
Verify that insight is enabled on the node.
Verify that the report has entries for TACACS authentication and only the commands are missing.
If these three have been verified and the commands still do not show up in the report, then it could be since TACACS command authorization is disabled in the switch. Insight requires that command authorization is also done against Clearpass for it to populate the commands in insight. Hence we need to enable TACACS command authorization against Clearpass.
To enable command authorization for Cisco switch we can use the following:
aaa authorization config-commands
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ local if-authenticated
Once these commands are enabled, we should be able to see the commands show up in the authorization tab in Access Tracker.
The commands would also show up in the TACACS authentication report in insight.