Hi All,<br><br>I've set up a hdtest user that can run privilege commands by using privilege-level 3 and going into "enable 3". Whilst the user can run the privilege commands like ping and traceroute, I am not seeing these commands appear in the accounting logs for this user.<br>
<br>It looks like the command 'ping' does not appear anywhere in the log even when I use a privilege-level 15 user, so I can only assume that this is the desired behaviour. But with traceroute, I see it appearing in the logs for a privilege-level 15 user but not for a privilege-level 3 user? Any ideas why this is so or how to see it in the log for a privilege-level 3 user?<br>
<br>tac_plus.conf:<br><br># create hdtest account<br>user = hdtest {<br> member = helpdesk<br> name = "Helpdesk Login"<br>}<br><br>#Helpdesk Group<br>group = helpdesk {<br> default service = deny<br> login = des "nsQW1T.SSs7Gk"<br>
enable = des "nsQW1T.SSs7Gk"<br> cmd = quit {<br> permit .*<br> }<br> cmd = exit {<br> permit .*<br> }<br> cmd = show<br> {<br> permit ip<br> permit interface<br> permit users<br> permit privilege<br>
deny .*<br> }<br> cmd = enable<br> {<br> permit 3<br> deny .*<br> }<br> cmd = ping<br> {<br> permit .*<br> }<br> cmd = traceroute<br> {<br> permit .*<br> }<br>}<br><br><br>Cisco AAA Configuration:<br>
<br>aaa accounting send stop-record authentication failure<br>aaa accounting delay-start all<br>aaa accounting exec default<br>aaa accounting commands 0 default<br>aaa accounting commands 1 default<br>aaa accounting commands 3 default<br>
aaa accounting commands 15 default<br>aaa accounting network default<br>aaa accounting connection default<br>aaa accounting system default<br><br>Cheers.<br><br>Andy<br><br><br>