[tac_plus] cmd-arg command authorization logging

Fri Nov 18 17:00:03 UTC 2011

Hello

I have a problem about authorşzation commands on tac_plus
I see cmd commands in tac_plus log file but i also want  to see cmd-arg
command, i tried many ways , but i failed.
Could you explain that tac_plus can log the cmd-arg parameters? Cisco
router says that i send all commands authorization messages, but tac_plus
not log cmd-arg messages.

Cisco debug output says;

AAA/AUTHOR (0): user='servet'
AAA/AUTHOR (0): send AV service=shell
AAA/AUTHOR (0): send AV cmd=ip
AAA/AUTHOR (0): send AV cmd-arg=ospf
AAA/AUTHOR (0): send AV cmd-arg=cost
AAA/AUTHOR (0): send AV cmd-arg=10000
AAA/AUTHOR (0): send AV cmd-arg=<cr>
AAA/AUTHOR (226099858): Method=TACACS+
AAA/AUTHOR/TAC+ (226099858): user=servet
AAA/AUTHOR/TAC+ (226099858): send AV service=shell
AAA/AUTHOR/TAC+ (226099858): send AV cmd=ip
AAA/AUTHOR/TAC+ (226099858): send AV cmd-arg=ospf
AAA/AUTHOR/TAC+ (226099858): send AV cmd-arg=cost
AAA/AUTHOR/TAC+ (226099858): send AV cmd-arg=10000
AAA/AUTHOR/TAC+ (226099858): send AV cmd-arg=<cr>end
AAA/AUTHOR (226099858): Post authorization status = PASS_ADD
AAA/AUTHOR (0): user='servet'
AAA/AUTHOR (0): send AV service=shell
AAA/AUTHOR (0): send AV cmd=end
AAA/AUTHOR (0): send AV cmd-arg=<cr>
AAA/AUTHOR (475071597): Method=TACACS+
AAA/AUTHOR/TAC+ (475071597): user=servet
AAA/AUTHOR/TAC+ (475071597): send AV service=shell
AAA/AUTHOR/TAC+ (475071597): send AV cmd=end
AAA/AUTHOR/TAC+ (475071597): send AV cmd-arg=<cr>
AAA/AUTHOR (475071597): Post authorization status = PASS_ADD
%SYS-5-CONFIG_I: Configured from console by vty0 (212.58.13.41)

tac_plus log file says;

Fri Nov 18 19:04:11 2011 [59820]: connect from 1.1.1.1 [1.1.1.1]
Fri Nov 18 19:04:11 2011 [59820]: Start authorization request
Fri Nov 18 19:04:11 2011 [59820]: do_author: user='servet'
Fri Nov 18 19:04:11 2011 [59820]: user 'servet' found
Fri Nov 18 19:04:11 2011 [59820]: authorize_cmd: user=servet, cmd=configure
Fri Nov 18 19:04:11 2011 [59820]: cmd configure does not exist, permitted
by default
Fri Nov 18 19:04:11 2011 [59820]: authorization query for 'servet' tty18
from 1.1.1.1 accepted
Fri Nov 18 19:04:14 2011 [59821]: connect from 1.1.1.1 [1.1.1.1]
Fri Nov 18 19:04:14 2011 [59821]: Start authorization request
Fri Nov 18 19:04:14 2011 [59821]: do_author: user='servet'
Fri Nov 18 19:04:14 2011 [59821]: user 'servet' found
Fri Nov 18 19:04:14 2011 [59821]: authorize_cmd: user=servet, cmd=interface
Fri Nov 18 19:04:14 2011 [59821]: cmd interface does not exist, permitted
by default
Fri Nov 18 19:04:14 2011 [59821]: authorization query for 'servet' tty18
from 1.1.1.1 accepted
Fri Nov 18 19:04:22 2011 [59822]: connect from 1.1.1.1 [1.1.1.1]
Fri Nov 18 19:04:22 2011 [59822]: Start authorization request
Fri Nov 18 19:04:22 2011 [59822]: do_author: user='servet'
Fri Nov 18 19:04:22 2011 [59822]: user 'servet' found
Fri Nov 18 19:04:22 2011 [59822]: authorize_cmd: user=servet, cmd=ip
Fri Nov 18 19:04:22 2011 [59822]: cmd ip does not exist, permitted by
default
Fri Nov 18 19:04:22 2011 [59822]: authorization query for 'servet' tty18
from 1.1.1.1 accepted
Fri Nov 18 19:04:23 2011 [59823]: connect from 1.1.1.1 [1.1.1.1]
Fri Nov 18 19:04:23 2011 [59823]: Start authorization request
Fri Nov 18 19:04:23 2011 [59823]: do_author: user='servet'
Fri Nov 18 19:04:23 2011 [59823]: user 'servet' found
Fri Nov 18 19:04:23 2011 [59823]: authorize_cmd: user=servet, cmd=end
Fri Nov 18 19:04:23 2011 [59823]: cmd end does not exist, permitted by
default
Fri Nov 18 19:04:23 2011 [59823]: authorization query for 'servet' tty18
from 1.1.1.1 accepted
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20111118/590226f7/attachment.html>