Log User Access

Another important type of log relates to user access. Having records of user logins is crucial for trou-
bleshooting and traffic analysis. Cisco IOS supports Authentication, Authorization and Accounting

(AAA). With AAA, it is possible not only to delegate the user validation task to an external server but
also to log activities.
TACACS+ is a protocol designed to allow remote authentication through a centralized server.
Packet Tracer offers basic AAA and TACACS+ support. R2 is also configured as a TACACS+ server. R2
will ask the server if that user is valid by verifying username and password, and grant or deny access
based on the response. The server stores user credentials and is also able to log user login transactions.
Follow the steps below to log in to R2 and display the log entries related to that login:

---

a. Click the Syslog Server to open its window.
b. Select the Desktop tab and select AAA Accounting. Leave this window open.
c. Click R2 > CLI.
d. Press Enter to get a command prompt. R2 will ask for username and password before
granting access to its CLI. Enter the following user credentials: analyst and cyberops as
the username and password, respectively.

e. Return to the Syslog Server’s AAA Accounting Records window.

What information is in the log entry?
The log entry will resemble:
```
DATE= 09:56:31 UTC Apr 05 2017 ,Username= analyst
,Caller Id= ,Flag= Start ,NAS IP= 192.168.12.2 ,NAS Port= con0
```
The entry contains the timestamp when the event occurred, the username and pass-
word used, R2’s IP address (the device used for the login attempt) and a Start flag. The

Start flag indicates that the analyst user logged in at the time shown.

f. On R2, enter the logout command.

What happened in the AAA Accounting window?
A new entry was added , however this time the Stop flag indicates that the user logged
out.