Web UI Configuration Command Accounting in TACACS Server

Feature History for Web UI Configuration Command Accounting in TACACS+ Server

This table provides release and related information for the feature explained in this module.

This feature is also available in all the releases subsequent to the one in which they are introduced in, unless noted otherwise.

Table 1. Feature History for Web UI Configuration Command Accounting in TACACS+ Server

Release

Feature

Feature Information

Cisco IOS XE Cupertino 17.9.1

Logging Web UI-Based Configuration Changes in TACACS+ Server

This feature logs all configuration changes made in controller web UI.

Support for logging configurations done in IOS console in TACACS+ server is already available.

Information About Web UI Configuration Command Accounting in TACACS+ Server

The Cisco Catalyst 9800 Series Wireless Controller configuration is stored in databases. Prior to Cisco IOS XE Cupertino 17.9.1 release, audit log or traceability were not available for the configuration changes stored in databases that were made from the controller GUI. With the Cisco IOS XE Cupertino 17.9.1 release, along with the existing configuration logging of commands executed from Cisco IOS console to TACACS+ server, support is also added to log the configuration changes done from the controller GUI to TACACS+ server. The logging information includes the command, user, and other session related parameters.

Guidelines for Web UI Configuration Command Accounting in TACACS+ Server

  • By default, the configuration commands are not logged to TACACS+ server without configuring command accounting.

  • All commands are accounted when AAA default command accounting is configured only for privilege 15.

  • When AAA default command accounting is not configured and commands need to be logged in the TACACS+ server, do the following:

    1. The HTTP named method list command accounting.

    2. The AAA named method list (same as the one configured in Step 1) command accounting.

Configuring AAA Accounting Using Default Method List (CLI)

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

aaa accounting commands privilege_level default start-stop group group-name

Example:

Device(config)# aaa accounting commands 15 default start-stop group group-name

Creates an accounting method list and enables accounting.

  • privilege_level : AAA accounting level. The valid range is from 0 to 15.

  • group-name: AAA accounting group that supports only TACACS+ group.

Step 3

end

Example:

Device(config)# end

Returns to privileged EXEC mode.

Configuring HTTP Command Accounting Using Named Method List (CLI)

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

ip http accounting commands level named-accounting-method-list

Example:

Device(config)# ip http accounting commands 1 oneacct

Configures HTTP command accounting using the named method list.

  • level: Privilege value from 0 to 15. By default, the following command privilege levels are available on the controller:

    • 0 : Includes the disable, enable, exit, help, and logout commands.

    • 1 : Includes all the user-level commands at the controller prompt (>).

    • 15 : Includes all the enable-level commands at the controller prompt (>).

  • named-accounting-method-list : Name of the predefined command accounting method list.

Step 3

end

Example:

Device(config)# end

Returns to privileged EXEC mode.