Cisco Tacacs+ command accounting to Mysql Db

August 3, 2012

Following this post what was left was my discomfort that cisco didn’t provide a way to log the commands send to the switch using radius accounting, but one had to use only tacacs+. As I have written there:

In the accounting section Cisco unfortunately (READ: WHY DEAR GOD, WHY??) doesn’t support sending each command a user types to RADIUS, but only for TACACS+, so the accounting part is at least handicapped.

So I was looking for a solution to the Internet. I didn’t find anything that could just fit it so I try to code my own version.

The first good thing is that tacacs+ was an open standard, so I didn;t have to figure out the protocol. I was thinking of implementing a small program that was providing only the needed functionality but thankfully there are opensource tacacs+ implementations (the most updated seemed this) where I can base my work. So I grabbed the latest version and I started modifying it. The result can be find in this diff.

A few words about installing and using it. In order to compile the MySQL support you need to add the –with-mysql flag during to configure script. After the compile finishes successfully, the next change needed is in the configuration file. In order to support the logging to mysql you need to add the line:

accounting acctdb = mysql://username:password@Host/Database/Table


If the password contains a @ you can close the password into single quotes so that the parsing still works. The corresponding line becomes like this:

accounting acctdb = mysql://username:'p@ssword'@Host/Database/Table


The way it is implemented right now, the database schema used is almost the same as the previous post, with a small addition to accommodate the command logging. The one used is this:

CREATE TABLE `Accounting` (
  `Id` bigint(21) NOT NULL auto_increment,
  `UniqueSessionId` varchar(50) NOT NULL default '',
  `AcctSessionId` varchar(50) NOT NULL default '',
  `UserName` varchar(100) NOT NULL default '',
  `CallingStationId` varchar(100) NOT NULL default '',
  `NASIPAddress` varchar(16) NOT NULL default '',
  `NASPort` int(10) unsigned NOT NULL default '0',
  `NASPortId` varchar(16) NOT NULL default '',
  `NASPortType` varchar(50) NOT NULL default '',
  `TimestampAccessStart` datetime default NULL,
  `TimestampAccessStop` datetime default NULL,
  `AcctSessionTime` int(10) unsigned NOT NULL default '0',
  `AcctTerminateCause` varchar(100) NOT NULL default '',
  `Command` text,
  PRIMARY KEY  (`Id`),
  KEY `UniqueSessionId` (`UniqueSessionId`,`AcctSessionId`,`UserName`),
  KEY `UserName` (`UserName`,`TimestampAccessStart`),
  KEY `NAS` (`NASIPAddress`,`NASPort`,`TimestampAccessStart`),
  KEY `CallingStationId` (`CallingStationId`,`TimestampAccessStart`)
) ENGINE=MyISAM DEFAULT CHARSET=greek

And finally the needed lines for the cisco configuration

aaa accounting commands 15 default start-stop group tacacs+

tacacs server test-tacacs
 address ipv4 xxx.xxx.xxx.xxx
 key secret
 port yyyy

The biggest part of the patch is for the autoconf configuration, and if there are any problems please excuse my poor autotools knowledge. (I was struggling with them for first time). The patch will be sent upstream, and hopefully it will be included in future tacacs+ releases. For any problem/issues/suggestions you can drop a comment.