06-05-2014 05:45 AM
I have a customer that is looking to replace their existing Cisco ACS server and possibly use ClearPass. They are currently tracking every command that an authenticated user submits on their Cisco switches. Is this even possible with ClearPass? Possibly with Insight?
Solved! Go to Solution.
06-05-2014 05:47 AM - edited 06-05-2014 05:52 AM
06-05-2014 06:14 AM
hope all is well...
So in order to log all commands that a user enters, we have to first permit what commands we want to allow and then somehow turn on logging on them? We've provided the customer with a PoC CPPM using the canned PoC templates for ACS replacement, but it does not spell out how to do this piece.
06-05-2014 06:16 AM
You do not have to turn on command authorization to log commands. By default it will log all commands once accounting is turned up.
Once you enable TACACS+ accounting, the logs will appear in the Accounting log in CPPM.
06-05-2014 09:03 AM
On a cisco device you need to make sure you have.
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ none
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
Or you will not get all the commands loged.
--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.