[tac_plus] Re: Can you log ping and traceroute commands?

Andy Saykao asaykao at gmail.com
Wed Dec 2 03:12:40 UTC 2009 

Hi All,

Turns out IOS wasn't broken after all. It appears that IOS sees a ping
command as a priv-lvl 3 command and I didn't have priv-lvl 3 configured for
accounting.

aaa accounting commands 3 default start-stop group tacacs+

A 'debug aaa accounting' helped me figure out that ping command is a
priv-lvl 3 command.

Dec  2 13:56:29 AEDT: AAA/MEMORY: create_user (0x66146308) user='user1'
ruser='myrouter' ds0=0 port='tty2' rem_addr='210.15.210.x' authen_type=ASCII
service=NONE priv=3 initial_task_id='0', vrf= (id=0)

Once I added priv-lvl 3 commands to aaa accounting, it showed up in the logs
now.

Wed Dec  2 13:55:58 2009        203.17.101.y   user1 tty2    210.15.210.x
stop    task_id=42      timezone=AEDT   service=shell
start_time=1259722589 priv-lvl=3       cmd=ping 210.15.254.x <cr>

Just a caveat with this, ping is priv-lvl3 on the two IOS I tested, but
traceroute showed up as priv-lvl3 using 122-31.SB13 and privi-lvl15 using
124-24.T1. That's Cisco for you with their priv-lvl's...

Glad to finally get to the bottom of this.

Cheers.

Andy

On Fri, Nov 27, 2009 at 5:19 PM, john heasley <heas at shrubbery.net> wrote:

> Thu, Nov 26, 2009 at 11:45:07AM +1100, Andy Saykao:
> > Hi All,
> >
> > I've set up a hdtest user that can run privilege commands by using
> > privilege-level 3 and going into "enable 3". Whilst the user can run the
> > privilege commands like ping and traceroute, I am not seeing these
> commands
> > appear in the accounting logs for this user.
> >
> > It looks like the command 'ping' does not appear anywhere in the log even
> > when I use a privilege-level 15 user, so I can only assume that this is
> the
> > desired behaviour. But with traceroute, I see it appearing in the logs
> for a
> > privilege-level 15 user but not for a privilege-level 3 user? Any ideas
> why
> > this is so or how to see it in the log for a privilege-level 3 user?
>
> that'd seem a clear indication that your ios is broken.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091202/14625dd5/attachment.html

More information about the tac_plus mailing list