We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 643 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

454 Sign Ups in the last 30 days

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: , ,

Forum Replies

  1. Hello Laz,
    Would you please explain the functionalities of the below commands at your convenient time? Thank you so much in advance.

    aaa accounting exec default start-stop group tacacs+ 
    aaa accounting commands 1 default stop-only group tacacs+ 
    aaa accounting commands 15 default stop-only group tacacs+
    aaa accounting connection default start-stop group tacacs+ 
    aaa accounting system default start-stop group tacacs+ 

    Best Regards,

  2. Hello Azm

    Let’s say I have a router on site and I want to keep track of all of the command line activity. Specifically, I want to monitor all of the commands that are entered in the executive mode command line and the processes they invoke. Since I have a TACACS+ server on site, I decide to use that as my accounting server. (I can use RADIUS as well). Lets say I have two TACACS+ servers at and

    The first thing I would do is create an AAA group called my_server_group using the following commands:

    aaa group server tacacs+ my_server_gro
    ... Continue reading in our forum

  3. Hello Azm

    Yes, that is essentially correct. The first one uses the mode as the criterion for recording the commands while the other two use the criterion of the privilege level of specific commands for recording.

    Note also that the first command records both the beginning and the end of the process that is initiated by the commands (start-stop) while the other two record only the termination of the process (stop-only).

    I hope this has been helpful!


  4. Hi Justin,

    RADIUS encrypts the password in access request packets but that’s it. Other stuff like the username is left unencrypted.

    TACACS+ does encrypt the entire packet (but not the header).


22 more replies! Ask a question or join the discussion by visiting our Community Forum