GFI Support Home Start a conversation Sign in
Start a conversation
  1. Exinda
  2. GFI - Exinda Network Orchestrator Articles
  3. Articles

Exinda TACACS+ Authentication Works but No TACACS+ Accounting Records (ExOS 7.5.x)

Contents

Overview

If Exinda TACACS+ authentication/authorization is working but your AAA server shows no TACACS+ accounting/session records, the appliance may explicitly report “No accounting methods configured.” and reject Cisco-like accounting commands with “Unrecognized command” (for example, aaa accounting ...).

In ExOS 7.5.x (confirmed in one environment as ExOS 7.5.7.0077), TACACS+ AAA accounting is not exposed as a configurable feature. When this occurs, Exinda does not generate TACACS accounting start/stop records, which explains why ClearPass can show TACACS events in Access Tracker while Accounting views show no results for the Exinda device.

Solution

When Exinda indicates that accounting is unavailable (for example, show aaa reports “No accounting methods configured.” and aaa accounting ... is unrecognized), treat TACACS+ accounting as unsupported/unavailable in that ExOS build. For compliance and audit needs, rely on:

  • ClearPass Access Tracker for TACACS authentication/session visibility
  • Exinda administrative/audit logs (login/logout, TACACS authentication messages, configuration change notices), forwarded to a centralized syslog/SIEM

Important: If remote syslog is set to a high-severity-only threshold (for example, trap err), NOTICE-level audit events (such as configuration-change messages) will not be forwarded. Adjust the remote syslog severity to at least NOTICE (for example, trap notice).

Symptoms / How to recognize this issue

You have TACACS+ authentication and authorization working for Exinda, but TACACS+ accounting/session records are missing on the AAA server.

  • show aaa displays: “No accounting methods configured.”
  • Attempts to enable TACACS accounting via CLI return: “Unrecognized command” (for commands such as aaa accounting exec ...)

Root cause

In the affected ExOS 7.5.x builds, TACACS+ AAA accounting is not exposed as a configurable feature. When this is the case:

  • Exinda provides TACACS+ authentication/authorization, but
  • Exinda does not generate TACACS accounting start/stop records, so
  • ClearPass (or any TACACS server) will not receive accounting events from Exinda for display in accounting reports.

This is not caused by missing privileges or an AAA-server-side configuration alone. If Exinda cannot be configured for accounting and reports “No accounting methods configured.”, it will not send TACACS accounting records.

Investigation / Troubleshooting workflow

1) Confirm the exact ExOS version

On the Exinda CLI, run:

show version

Version matters because feature availability can vary by build. (In one investigated environment, diagnostics showed ExOS 7.5.7.0077; the initially reported version was 7.5.5, so confirmation via show version was required.)

2) Confirm whether accounting is available on the appliance

Run:

show aaa

If you see:

No accounting methods configured.

...then TACACS accounting is not configured/available in the current build.

Also check whether the CLI exposes any accounting configuration:

conf t
aaa ?

If only authentication/authorization options appear (and no accounting subcommands exist), there is nothing to enable for TACACS accounting in that build.

3) Validate where ClearPass is showing TACACS activity

If you are using ClearPass:

  • Use Monitoring → Live Monitoring → Access Tracker to view TACACS authentication/session details.
  • Do not rely on Monitoring → Live Monitoring → Accounting to prove Exinda TACACS accounting is working when Exinda is not sending TACACS accounting records.

Recommended compliance/audit approach (supported workaround)

Even when TACACS+ accounting is not available, Exinda still logs administrative activity locally. Use these logs as your audit trail and forward them to centralized logging.

A) View administrative activity on Exinda

Web UI

  • Go to: Configuration → System → Logging
  • Filter for common admin/audit-related sources such as:
    • wsmd (Web UI login/logout)
    • mgmtd (configuration change notices such as CONFIGURATION CHANGED BY user ...)
    • PAM-tacplus / tacacs (TACACS authentication messages)

CLI

Use log filtering:

show log matching wsmd
show log matching mgmtd
show log matching PAM-TACPLUS
show log matching tacacs

B) Forward Exinda logs to a syslog/SIEM (recommended for retention)

If a remote syslog destination is configured but only high-severity logs are forwarded (for example, trap err), NOTICE-level audit messages may be missed.

Adjust the remote syslog severity threshold to include NOTICE-level events.

CLI example (placeholders):

en
conf t
logging <syslog_server_ip>
logging <syslog_server_ip> trap notice

Web UI equivalent:

  • Go to: Configuration → System → Logging → Setup
  • Update the Remote Sink severity to at least Notice

Also ensure your syslog/SIEM is listening on the intended protocol/port (commonly UDP/TCP 514) and that network/firewall rules allow syslog traffic.

Validation (how to confirm the mitigation works)

  1. Generate an admin activity event on Exinda:

    • Log in to the Web UI and log out
    • Make a small configuration change (if permitted by your change process)

  2. Confirm events appear locally:

    • Check Exinda logs for wsmd / mgmtd entries using the UI log viewer or show log matching ...

  3. Confirm events arrive at the centralized syslog/SIEM:

    • Search for the Exinda hostname/IP and confirm NOTICE-level messages are present (especially config-change notices that were previously missing when using trap err)

  4. For TACACS authentication/session visibility:

    • Confirm ClearPass Access Tracker continues to show TACACS session/authentication details for Exinda logins.

Frequently Asked Questions

1. What exact Exinda message indicates TACACS+ accounting isn’t enabled/available?

In show aaa, the appliance explicitly reports: “No accounting methods configured.” If aaa accounting ... commands return “Unrecognized command”, the accounting CLI is not available in that build.

2. Is this caused by missing privileges or an admin role limitation?

If config > aaa ? (or conf taaa ?) shows no accounting subcommands and show aaa reports “No accounting methods configured.”, there is no privilege change that will enable TACACS accounting in that firmware build.

3. ClearPass shows TACACS logins in Access Tracker, but “Accounting” shows nothing. Is that expected?

Yes. Access Tracker reflects TACACS authentication/session details. If Exinda is not generating TACACS accounting start/stop records, ClearPass Accounting views will not show accounting entries for the Exinda device.

4. How can administrative actions be audited for compliance if TACACS accounting isn’t available?

Use Exinda’s system/audit logs (login/logout, TACACS authentication messages, and configuration change notices) and forward them to a centralized syslog/SIEM for retention and reporting.

5. Why did my syslog/SIEM not receive the “configuration changed” audit entries?

Those events are commonly logged at NOTICE level. If the remote syslog sink is set to a higher severity only (for example trap err), NOTICE-level audit messages will not be forwarded. Change the remote sink severity to at least notice and re-test.

6. Is TACACS+ accounting available in a later ExOS version?

Public “What’s new / Product Releases” notes through ExOS 7.6.1 did not list TACACS+ accounting as a newly added feature. The most reliable verification after any upgrade is to check on the appliance:

  • show version
  • show aaa (look for an accounting section instead of “No accounting methods configured.”)
  • conf taaa ? (confirm whether accounting subcommands exist)
Choose files or drag and drop files
ai_initiated
atlas_studio
kb_automation
Was this article helpful?
Yes
No

  1. Priyanka Bhotika

  2. Posted

Comments