I am trying to utilize the pam_radius client (1.4.0) on several RHEL 6 servers for authentication and accounting with ssh and sudo, against a Cisco ACS (ver 5.5) The authentication works as expected for both, however i am not seeing what i would expect in the accounting. My first question is, is there a setting that i am missing that enables pam_radius to send the full accounting back to the ACS? I do see the start/stop packets, however i only ever see the "sudo" issued as a NAS identifier, and never anything else. ==== output from /var/log/messages Jul 24 10:04:00 secutil sshd[6148]: Accepted password for test_user from XXX.XXX.XXX.XXX port 53291 ssh2 Jul 24 10:04:00 secutil sshd[6148]: error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument Jul 24 10:04:24 secutil sudo: pam_radius_auth: Got user name test_user Jul 24 10:04:24 secutil sudo: pam_radius_auth: ignore last_pass, force_prompt set Jul 24 10:04:29 secutil sudo: pam_radius_auth: Sending RADIUS request code 1 Jul 24 10:04:29 secutil sudo: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 0x7f3b816089a0. Jul 24 10:04:29 secutil sudo: pam_radius_auth: Got RADIUS response code 2 Jul 24 10:04:29 secutil sudo: pam_radius_auth: authentication succeeded Jul 24 10:04:29 secutil sudo: test_user : TTY=pts/1 ; PWD=/home/test_user ; USER=root ; COMMAND=/bin/cat /etc/named.conf ==== output from ACS Start Accounting Details : Diagnostics Details ACS Configuration Changes Logged At : Jul 24,17 10:04:29.336 AM ACS Time : Jul 24,17 10:04:29.313 AM ACS Server : scrubbed User Name : root Failure Reason : Identity Store : Identity Group : Network Device Name : Linux_Servers Network Device Group : Device Type:All Device Types, Location:All Locations Service Selection Rule Name : Access Service : Security Group : AD Domain : Authorization Profile: MAC Address : Endpoint IP Address : NAS IP Address : scrubbed NAS Port : 6171 NAS Port Id: NAS Identifier : sudo Account Status Type : Start Account Session Id : 00006171 Account MultiSession Id : Audit Session Id : ACS Session Id : scrubbed/230060300/66963046 Account Authentic : RADIUS Account Terminate Cause : Terminate Action : Account Interim Intervals : Account Delay Time : Account Session Time : Account Input Octets : Account Output Octets : Account Input Packets : Account Output Packets : Account Tunnel Connection : Account Tunnel Packet Lost : Session Timeout : Idle Timeout : Event Timestamp : Service Type : Response Time : 1 Class : Framed Protocol : Tunnel Details : Cisco H323 : Cisco SSG : Cisco-AvPairs : Other Attributes : ACSVersion=acs-5.5.0.46-B.723 ConfigVersionId=200 NAS-Port-Type=Virtual Device IP Address=scrubbed Audit Session Key root:sudo:6171 Steps Received RADIUS Accounting-Request RADIUS created a new session Evaluating Service Selection Policy Matched rule Selected Access Service - Accounting start was received for non-existing session. Returned RADIUS Accounting-Response ==== output from ACS Stop Accounting Details : Diagnostics Details ACS Configuration Changes Logged At : Jul 24,17 10:04:29.336 AM ACS Time : Jul 24,17 10:04:29.320 AM ACS Server : scrubbed User Name : root Failure Reason : Identity Store : Identity Group : Network Device Name : Linux_Servers Network Device Group : Device Type:All Device Types, Location:All Locations Service Selection Rule Name : Access Service : Security Group : AD Domain : Authorization Profile: MAC Address : Endpoint IP Address : NAS IP Address : scrubbed NAS Port : 6171 NAS Port Id: NAS Identifier : sudo Account Status Type : Stop Account Session Id : 00006171 Account MultiSession Id : Audit Session Id : ACS Session Id : scrubbed/230060300/66963047 Account Authentic : RADIUS Account Terminate Cause : Terminate Action : Account Interim Intervals : Account Delay Time : Account Session Time : 0 Account Input Octets : Account Output Octets : Account Input Packets : Account Output Packets : Account Tunnel Connection : Account Tunnel Packet Lost : Session Timeout : Idle Timeout : Event Timestamp : Service Type : Response Time : 1 Class : Framed Protocol : Tunnel Details : Cisco H323 : Cisco SSG : Cisco-AvPairs : Other Attributes : ACSVersion=acs-5.5.0.46-B.723 ConfigVersionId=200 NAS-Port-Type=Virtual Device IP Address=scrubbed Audit Session Key root:sudo:6171 Received RADIUS Accounting-Request RADIUS created a new session Evaluating Service Selection Policy Matched rule Selected Access Service - Audit session was not found. Returned RADIUS Accounting-Response ==== /etc/pam.d/sshd auth sufficient pam_radius_auth.so debug account sufficient pam_radius_auth.so debug session sufficient pam_radius_auth.so debug #auth include tacacs auth required pam_sepermit.so auth include password-auth #account include tacacs account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule #session include tacacs session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth ==== /etc/pam.d/sudo auth sufficient pam_radius_auth.so debug account sufficient pam_radius_auth.so debug session sufficient pam_radius_auth.so debug auth include system-auth account include system-auth password include system-auth session optional pam_keyinit.so revoke session required pam_limits.so /etc/raddb/server (scrubbed) XXX.XXX.XXX.XXX test 3 Am i just incorrect in my assumptions on what i think i should be seeing with the accounting? I know with other devices, I can see the full accounting commands issued, but i do not know if that is a limitation with Linux and pam_radius, or if i have something set incorrectly. Thanks in advance, GR