Accounting
Command Authorization and Logging
84
CN4093 Application Guide for N/OS 8.2
Note: To obtain the TACACS+ backdoor password for your switch, contact your
Service and Support line.
Accounting is the action of recording a userʹs activities on the device for the
purposes of billing and/or security. It follows the authentication and authorization
actions. If the authentication and authorization is not performed via TACACS+,
there are no TACACS+ accounting messages sent out.
You can use TACACS+ to record and track software login access, configuration
changes, and interactive commands.
The CN4093 supports the following TACACS+ accounting attributes:
protocol (console/telnet/ssh/http)
start_time
stop_time
elapsed_time
disc‐cause
Note: When using the Browser-Based Interface, the TACACS+ Accounting Stop
records are sent only if the Quit button on the browser is clicked.
When TACACS+ Command Authorization is enabled
(CN4093(config)# tacacsserver commandauthorization), Lenovo
N/OS configuration commands are sent to the TACACS+ server for authorization.
When TACACS+ Command Logging is enabled
(CN4093(config)# tacacsserver commandlogging), Lenovo N/OS
configuration commands are logged on the TACACS+ server.
The following examples illustrate the format of Lenovo N/OS commands sent to
the TACACS+ server:
authorization request, cmd=cfgtree, cmdarg=/cfg/l3/if
accounting request, cmd=/cfg/l3/if, cmdarg=1
authorization request, cmd=cfgtree, cmdarg=/cfg/l3/if/ena
accounting request, cmd=/cfg/l3/if/ena
authorization request, cmd=cfgtree, cmdarg=/cfg/l3/if/addr
accounting request, cmd=/cfg/l3/if/addr, cmdarg=10.90.90.91
authorization request, cmd=apply
accounting request, cmd=apply
The following rules apply to TACACS+ command authorization and logging:
Only commands from a Console, Telnet, or SSH connection are sent for authori‐
zation and logging. SNMP, BBI, or file‐copy commands (for example, TFTP or
sync) are not sent.
Only leaf‐level commands are sent for authorization and logging. For example,
CN4093(config)# is not sent, but
CN4093(config)# tacacsserver commandlogging is sent.
The full path of each command is sent for authorization and logging. For
example: CN4093(config)# tacacsserver commandlogging