fir3net
PPS-Firenetbanner-780.5x190-30-03-17

F5 LTM - How to enable TACACS+ Accounting

TACACS+ accounting was first supported within BIG-IP version 10.2.0.  Within this article we will show your the commands required to enable this feature.

Configure

First of all you will need to enable accounting within your authentication settings (this can be found within the GUI under 'System / Users / Authentication')

modify sys db config.auditing.forward.destination value 162.13.46.12
modify sys db config.auditing.forward.sharedsecret value abc123
modify sys db config.auditing.forward.type value tacacs+
modify sys db config.auditing value info  <-- logs cli changes
modify sys db log.mcpd.level value info   <-- logs gui changes
save /sys config

Output

Below provides a sample of the accounting output (taken from the TACACS+ server).

root@ubuntu-13:~# tail -f /var/log/tac_plus.acct
Jul 26 15:47:01 86.147.23.10   user1   unknown unknown update  service=system  protocol=ip     task_id=41      start_time=1374853572   event=cmd_acct  rea 0 - obj_delete { monitor { monitor_name "MON-HTTP-SALT" monitor_owner 1 } } [Status=Command OK]

Reference

Below are the references used to build this the configuration within this article.

v.10 - Remote Authorization via TACACS+
Configuring remote RADIUS or TACACS+ accounting
Logging BIG-IP System Events

 

Tags: BIG-IP F5, TACACS

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001