Web UI Configuration Command Accounting in TACACS Server

Web UI configuration command accounting in TACACS+ server

A Web UI configuration command audit is a security feature that

  • records configuration changes executed through the controller's GUI

  • logs audit information to a TACACS+ server for centralized tracking, and

  • includes details such as the executed command, the user responsible, and session parameters.

The Cisco Catalyst 9800 series wireless controller configuration is stored in databases.

Feature history for Web UI configuration command accounting in TACACS+ server

This table provides release and related information for the feature explained in this module.

This feature is also available in all the releases subsequent to the one in which they are introduced in, unless noted otherwise.

Table 1. Feature history for Web UI configuration command accounting in TACACS+ server

Release

Feature

Feature Information

Cisco IOS XE Cupertino 17.9.1

Logging Web UI-Based Configuration Changes in TACACS+ Server

This feature logs all configuration changes made in controller web UI.

Support for logging configurations done in IOS console in TACACS+ server is already available.

Guidelines for Web UI configuration command accounting in TACACS+ server

  • By default, configuration commands are not logged to the TACACS+ server unless command accounting is configured.

  • All commands are accounted for only when AAA default command accounting is configured for privilege level 15.

  • If AAA default command accounting is not configured, and you want commands to be logged to the TACACS+ server, use these methods:

    1. The HTTP named method list command accounting.

    2. The AAA named method list (same as the one configured in Step 1) command accounting.

Configure AAA accounting using default method list (CLI)

Use this task to monitor and record user command activity on devices through AAA accounting features.
Configure AAA accounting to track user commands executed on a controller, leveraging the default accounting method. This supports compliance and security needs.

Before you begin

  • Confirm that AAA is enabled on the device.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Create an accounting method list and enables accounting.

Example:

Device(config)# aaa accounting commands 15 default start-stop group group-name

  • privilege_level : AAA accounting level. The valid range is from zero to 15.

  • group-name: AAA accounting group that supports only TACACS+ group.

Step 3

Return to privileged EXEC mode.

Example:

Device(config)# end

The controller records user command activities according to the configured accounting method.

Configure HTTP command accounting using named method list (CLI)

Set up command accounting to track user actions on network devices via HTTP with a specified AAA method list using commands.
HTTP command accounting provides auditing and compliance by recording commands executed by users. Using a named method list offers flexibility for different accounting requirements.

Before you begin

  • Ensure AAA accounting is enabled on your device.

  • Have a predefined AAA accounting method list (if not, configure one).

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure HTTP command accounting using the named method list.

Example:

Device(config)# ip http accounting commands 1 oneacct

  • level: The privilege value ranges from zero to 15. By default, the command privilege levels available on the controller are:

    • 0 : Includes the disable, enable, exit, help, and logout commands.

    • 1 : Includes all the user-level commands at the controller prompt (>).

    • 15 : Includes all the enable-level commands at the controller prompt (>).

  • named-accounting-method-list : Name of the predefined command accounting method list.

Step 3

Return to privileged EXEC mode.

Example:

Device(config)# end

The device records user command activities in accordance with the configured accounting method.