[tac_plus] Re: Can you log ping and traceroute commands?

Schmidt, Daniel dan.schmidt at uplinkdata.com
Wed Dec 2 15:48:31 UTC 2009


That should not be, Cisco only uses 0,1 and 15 by default.  You have not
done any privilege exec level commands?  

-----Original Message-----
From: tac_plus-bounces at shrubbery.net
[mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Andy Saykao
Sent: Tuesday, December 01, 2009 8:13 PM
To: john heasley
Cc: tac_plus at shrubbery.net
Subject: [tac_plus] Re: Can you log ping and traceroute commands?

Hi All,

Turns out IOS wasn't broken after all. It appears that IOS sees a ping
command as a priv-lvl 3 command and I didn't have priv-lvl 3 configured
for
accounting.

aaa accounting commands 3 default start-stop group tacacs+

A 'debug aaa accounting' helped me figure out that ping command is a
priv-lvl 3 command.

Dec  2 13:56:29 AEDT: AAA/MEMORY: create_user (0x66146308) user='user1'
ruser='myrouter' ds0=0 port='tty2' rem_addr='210.15.210.x'
authen_type=ASCII
service=NONE priv=3 initial_task_id='0', vrf= (id=0)

Once I added priv-lvl 3 commands to aaa accounting, it showed up in the
logs
now.

Wed Dec  2 13:55:58 2009        203.17.101.y   user1 tty2
210.15.210.x
stop    task_id=42      timezone=AEDT   service=shell
start_time=1259722589 priv-lvl=3       cmd=ping 210.15.254.x <cr>

Just a caveat with this, ping is priv-lvl3 on the two IOS I tested, but
traceroute showed up as priv-lvl3 using 122-31.SB13 and privi-lvl15
using
124-24.T1. That's Cisco for you with their priv-lvl's...

Glad to finally get to the bottom of this.

Cheers.

Andy

On Fri, Nov 27, 2009 at 5:19 PM, john heasley <heas at shrubbery.net>
wrote:

> Thu, Nov 26, 2009 at 11:45:07AM +1100, Andy Saykao:
> > Hi All,
> >
> > I've set up a hdtest user that can run privilege commands by using
> > privilege-level 3 and going into "enable 3". Whilst the user can run
the
> > privilege commands like ping and traceroute, I am not seeing these
> commands
> > appear in the accounting logs for this user.
> >
> > It looks like the command 'ping' does not appear anywhere in the log
even
> > when I use a privilege-level 15 user, so I can only assume that this
is
> the
> > desired behaviour. But with traceroute, I see it appearing in the
logs
> for a
> > privilege-level 15 user but not for a privilege-level 3 user? Any
ideas
> why
> > this is so or how to see it in the log for a privilege-level 3 user?
>
> that'd seem a clear indication that your ios is broken.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://www.shrubbery.net/pipermail/tac_plus/attachments/20091202/14625dd
5/attachment.html 
_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus


More information about the tac_plus mailing list