Configuring Accounting

17 Mar

Configuring Accounting
The accounting portion of the AAA security architecture enables you to track the services users are accessing as well as the amount of network resources they are consuming. When accounting is enabled, the network access server reports user activity to the TACACS+ or RADIUS security server. The accounting service reports to the security server using accounting records. Each accounting record contains accounting attribute−value (AV) pairs and is stored on the security server. This combined data can be analyzed for network management, client billing, and auditing purposes.

Just as authentication and authorization support method lists, accounting uses method lists to define the ways that authorization will be performed and the order in which the methods will be used. Method lists enable you to designate one or more security protocols to be used for accounting, thus ensuring a backup system in case the initial method fails. Cisco IOS software uses the first method listed to account for the network services a client accesses; if that method fails to respond, the Cisco IOS software selects the next method listed in the method list. This process continues until there is successful communication with a listed accounting method or until all methods defined are exhausted.

Use the aaa accounting global configuration command to define the parameters that record what services clients have accessed. To configure accounting, perform the following steps:

1.Enable AAA by using the aaa new−model global configuration command and configuring any security protocol parameters, such as the key value. This step and the steps used to configure the key value were outlined in the sections on configuring TACACS+ and RADIUS.

2.Configure AAA authentication and authorization as described in the “Configuring Authentication” and “Configuring Authorization” sections. Accounting generally takes place during and after authentication and authorization.

3.Use the following command to enable the accounting process:

aaa accounting <system|network|exec|connection|commands> level
<default| list−name> <start−stop|stop−only|wait−start|none>
<tacacs+| radius>

The command parameters listed in Step 3 are described in Table 2.2.

Table 2.2: Accounting command parameters.

Continuing with the example in Figure 2.10, the network access server should be configured to account for all activity that takes place on the access server. This requirement can be met using the configuration in Listing 2.10.

Listing 2.10: Accounting configuration.

!
aaa accounting exec default start−stop group tacacs+
aaa accounting commands 15 default start−stop group tacacs+
aaa accounting system default wait−start group tacacs+
aaa accounting network default stop−only group tacacs+
!
username admin password admin
!
interface Ethernet0
ip address 192.168.10.1 255.255.255.0
!
interface Serial0:23
no ip address
encapsulation ppp
!
interface Group−Async1
ip unnumbered Ethernet0
encapsulation ppp
ip tcp header−compression passive
async mode interactive
peer default ip address pool IP
ppp callback accept
ppp authentication chap
group−range 1 16
!
ip local pool IP 192.168.10.239 192.168.10.254
!
tacacs−server host 192.168.10.4 single−connection timeout 10 −
key 1Cisco9
!
line con 0
login authentication ADMIN
line 1 16
modem InOut
autoselect during−login
autoselect ppp

The configuration in Listing 2.10 sets up accounting on the network access server. Each method list defined uses the default method list, which applies the configured method to all interfaces and lines. Each method list is also configured to use the TACACS+ protocol to perform the accounting function. After James dials into the network and begins his troubleshooting efforts, the accounting process on the network access server starts. The details of the accounting process can be seen in Listing 2.11.

Listing 2.11: Accounting process.

Seminole#debug aaa account
AAA Accounting debugging is on Seminole#
: AAA/ACCT/ACCT_DISC: Found list ”default”
: tty2 AAA/DISC: 1/”User Request”
: AAA/ACCT/EXEC/STOP User James, Port tty2: −
task_id=273 start_time=1004308320 timezone=CST −
service=shell disc−cause=1 disc−cause−ext=1020
elapsed_time=40
nas−rx−speed=0 nas−tx−speed=0
!
: AAA/ACCT: user James, acct type 0 (3132070800):
Method=tacacs+ (tacacs+)
: TAC+: (3132070800): received acct response status = SUCCESS
: AAA/MEMORY: free_user (0×62527B28) user=’James’ ruser=”
port=’tty2′ rem_addr=’192.168.11.45′
authen_type=ASC II service=LOGIN priv=1
: AAA: parse name=tty2 idb type=−1 tty=−1
: AAA: name=tty2 flags=0×11 type=5 shelf=0 slot=0 adapter=0
port=2 channel=0
: AAA/MEMORY: create_user (0×625249DC) user=” ruser=” −
port=’tty2′ rem_addr=’192.168.11.45′ authen_type=ASCII −
service=LOGIN priv=1
!
: AAA/ACCT/EXEC/START User James, port tty2
: AAA/ACCT/EXEC: Found list ”default”
: AAA/ACCT/EXEC/START User James, Port tty2,task_id=276\
start_time=1004308382
timezone=CST service=shell
!
: AAA/ACCT: user James, acct type 0 (2103966373):\
Method=tacacs+ (tacacs+)
: TAC+: (2103966373): received acct response status = SUCCESS
: AAA/MEMORY: free_user (0×62527B28) user=’James’ ruser=” −
port=’tty2′ rem_addr=’192.168.11.45′
authen_type=ASCII service=ENABLE priv=15
!
: AAA/ACCT/CMD: User James, Port tty2, Priv 15:’’show run−config”
: AAA/ACCT/CMD: Found list ”default”
: AAA/ACCT: user James, acct type 3 (3950182121): Method=tacacs+
: TAC+: (3950182121): received acct response status = SUCCESS
: AAA/ACCT/ACCT_DISC: Found list ”default”
: tty2 AAA/DISC: 1/”User Request”
: AAA/ACCT/EXEC/STOP User James, Port tty2:task_id=276 −
start_time=1004308382 timezone=CST service=shell −
disc−cause=1 disc−cause−ext=1020 elapsed_time=29
!
: AAA/ACCT: user James, acct type 0 (1600314757): −
Method=tacacs+ (tacacs+)
: TAC+: (1600314757): received acct response status = SUCCESS
: AAA/MEMORY: free_user (0×625249DC) user=’James’ ruser=” −
port=’tty2′ rem_addr=’192.168.11.45′ authen_type=ASCII −
service=LOGIN priv=1
: AAA/ACCT/CMD: User James, Port tty1, Priv 15: ‘’sh ip route”
: AAA/ACCT/CMD: Found list ”default”
: AAA/ACCT: user James, acct type 3 (668218192): Method=tacacs+
: TAC+: (668218192): received acct response status = SUCCESS

Notice that the access server first determines that method list “default” is configured to provide accounting services for user James. The access server then determines that in order to account for the users’ actions, it should use the tacacs+ method. You should notice the following key aspects of the accounting feature:

: AAA/ACCT/CMD: User James, Port tty2, Priv 15:’’show run−config”
: AAA/ACCT/CMD: User James, Port tty1, Priv 15: ‘’sh ip route”

The access server will account for every command that is entered during the session in which James is connected. This feature provides the nonrepudiation aspect of the AAA architecture.

Random Posts

No comments yet

Leave a Reply

You must be logged in to post a comment.