[tac_plus] Can you log ping and traceroute commands?
Andy Saykao
asaykao at gmail.com
Thu Nov 26 00:45:07 UTC 2009
Hi All,
I've set up a hdtest user that can run privilege commands by using
privilege-level 3 and going into "enable 3". Whilst the user can run the
privilege commands like ping and traceroute, I am not seeing these commands
appear in the accounting logs for this user.
It looks like the command 'ping' does not appear anywhere in the log even
when I use a privilege-level 15 user, so I can only assume that this is the
desired behaviour. But with traceroute, I see it appearing in the logs for a
privilege-level 15 user but not for a privilege-level 3 user? Any ideas why
this is so or how to see it in the log for a privilege-level 3 user?
tac_plus.conf:
# create hdtest account
user = hdtest {
member = helpdesk
name = "Helpdesk Login"
}
#Helpdesk Group
group = helpdesk {
default service = deny
login = des "nsQW1T.SSs7Gk"
enable = des "nsQW1T.SSs7Gk"
cmd = quit {
permit .*
}
cmd = exit {
permit .*
}
cmd = show
{
permit ip
permit interface
permit users
permit privilege
deny .*
}
cmd = enable
{
permit 3
deny .*
}
cmd = ping
{
permit .*
}
cmd = traceroute
{
permit .*
}
}
Cisco AAA Configuration:
aaa accounting send stop-record authentication failure
aaa accounting delay-start all
aaa accounting exec default
aaa accounting commands 0 default
aaa accounting commands 1 default
aaa accounting commands 3 default
aaa accounting commands 15 default
aaa accounting network default
aaa accounting connection default
aaa accounting system default
Cheers.
Andy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20091126/ea472a43/attachment.html
More information about the tac_plus
mailing list