F5 LTM – How to enable TACACS+ Accounting

TACACS+ accounting was first supported within BIG-IP version 10.2.0.  Within this article we will show your the commands required to enable this feature.

Configure

First of all you will need to enable accounting within your authentication settings (this can be found within the GUI under ‘System / Users / Authentication’)

modify sys db config.auditing.forward.destination value 162.13.46.12
modify sys db config.auditing.forward.sharedsecret value abc123
modify sys db config.auditing.forward.type value tacacs+
modify sys db config.auditing value info  <-- logs cli changes
modify sys db log.mcpd.level value info   <-- logs gui changes
save /sys config

Output

Below provides a sample of the accounting output (taken from the TACACS+ server).

root@ubuntu-13:~# tail -f /var/log/tac_plus.acct
Jul 26 15:47:01 86.147.23.10   user1   unknown unknown update  service=system  protocol=ip     
task_id=41      start_time=1374853572   event=cmd_acct  rea 0 - obj_delete { monitor { monitor_
name "MON-HTTP-SALT" monitor_owner 1 } } [Status=Command OK]

Reference

Below are the references used to build this the configuration within this article.

v.10 – Remote Authorization via TACACS+
Configuring remote RADIUS or TACACS+ accounting

 

Rick Donato

Want to become an F5 Loadbalancers expert?

Here is our hand-picked selection of the best courses you can find online:
F5 BIG-IP 101 Certification Exam – Complete Course
F5 BIG-IP 201 Certification Exam – Complete Course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial