Security

All,

I have a customer that is looking to replace their existing Cisco ACS server and possibly use ClearPass. They are currently tracking every command that an authenticated user submits on their Cisco switches. Is this even possible with ClearPass? Possibly with Insight?

Thanks,

Troy,

hope all is well...

So in order to log all commands that a user enters, we have to first permit what commands we want to allow and then somehow turn on logging on them? We've provided the customer with a PoC CPPM using the canned PoC templates for ACS replacement, but it does not spell out how to do this piece.

thanks,

Kevin

You do not have to turn on command authorization to log commands. By default it will log all commands once accounting is turned up.

Once you enable TACACS+ accounting, the logs will appear in the Accounting log in CPPM.

On a cisco device you need to make sure you have.

aaa authorization config-commands

aaa authorization commands 0 default group tacacs+ none 

aaa authorization commands 1 default group tacacs+ if-authenticated 

aaa authorization commands 15 default group tacacs+ if-authenticated 

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

Or you will not get all the commands loged.

Do we need to do anything in the CPPM enforcement profile to enable accounting? We've added the commands to the switch but see nothing in the CPPM accounting logs.

Thanks,

Is TACACS authentication and/or authorization working?

Yes, authentication is working.

Ok, I can now see the authenticated session and the commands run during that session under accounting. How do we show the commands in the report format as above?

Yes, ClearPass can do full TACACS+ command logging and authorization.

I see this would allow us to permit/deny specific commands, but how do we log everything the user does on the switch?