1. Home
  2. Networking
  3. CCSP Cisco Certified Security Professional Certification

AAA System Components

AAA System Components

Access control is the way to manage who is allowed access to the NAS and what services they’re allowed to use once they have access. Authentication, Authorization, and Accounting (AAA) network security services provide the primary framework through which to set up access control on the router or access server. AAA is comprised of three independent security functions included in the name:

  • Authentication

  • Authorization

  • Accounting

AAA as Facilitator

AAA is designed for flexibility by enabling the administrator to configure the type of authentication and authorization on a per-line (per-user) or per-service basis. During configuration, the types of authentication and authorization to be allowed are defined by creating method lists, and then applying those method lists to specific services or interfaces. The method lists are used to authenticate dial-in users. These lists create an ordered list of security protocols to be used for authentication, thus creating a backup system for authentication in case the initial method fails. For example, the preferred authentication method might be TACACS+, but if the TACACS server isn’t available, then use the local user name/password database. Finally, if the user name/password entries have been removed, then use the enable password.

AAA uses protocols, such as RADIUS, TACACS+, and Kerberos, to administer its security functions. If a router or access server is acting as an NAS, then AAA is the means through which the NAS communicates with the RADIUS, TACACS+, or Kerberos security server.

Steps to Configure AAA

Configuring AAA is relatively simple once the basic process is understood. The basic steps to configure AAA security on a Cisco router or access server are the following:

  1. Enable AAA by using the aaa new-model global configuration command.

  2. If you decide to use a separate security server, such as RADIUS, TACACS+, or Kerberos, configure security protocol parameters to use the appropriate server(s).

  3. Define the method lists for authentication by using an aaa authentication command.

  4. Apply the method lists to a particular interface or line, if required.

  5. (Optional) Configure authorization using the aaa authorization command.

  6. (Optional) Configure accounting using the aaa accounting command.

You will look at Steps 3 through 6 in the next sections. For now, you will concentrate on starting AAA and telling it how to find the authentication server, assuming one will be used.

Note?

The exam and this book only use the TACACS+ and RADIUS features. For more information on configuring Kerberos, go to http://www.cisco.com/ on the Web and perform a search for configuring Kerberos. No CCO account is needed for much of the information.

Enable AAA

To enable the AAA access control model on the router or NAS, in global configuration mode, type the aaa new-model command. Use the no form of the command to disable the AAA. The syntax is

Rtr1(config)#aaa new-model
Rtr1(config)#no aaa new-model

There are no variables. The words simply turn the feature on and off. Once entered, the CON, VTY, AUX, and TTY lines require a user name and a password for access. Any previous password configuration for those lines is automatically removed.

Define the Security Server—TACACS+

If a TACACS server host is used for authentication, use the tacacs-server host global configuration command. Use the no form of this command to delete the specified name or address. The syntax is

Rtr1(config)#tacacs-server host {hostname | ip address} [single-connection] [port port#]
[timeout seconds] [key string]
Rtr1(config)#no tacacs-server host hostname

hostname

Name of the TACACS+ server.

ip-addresss

IP address of the TACACS+ server.

single-connection

(Optional) Specify that the router maintain a single open connection for confirmation from the AAA/TACACS+ server. This command contains no autodetect feature and fails if the host isn’t running a CiscoSecure daemon.

port

(Optional) Overrides the default, which is port 49.

port#

(Optional) Port number of the server (range 1 to 65535).

timeout

(Optional) Overrides the global timeout value set with the global tacacs- server timeout command for this server only.

seconds

(Optional) New timeout interval in seconds.

key

(Optional) Specify an authentication and encryption key. This must match the key used by the TACACS+ daemon. Specifying this key overrides the key set by the global command tacacs-server key for this server only.

string

(Optional) Character string to use as the authentication and encryption key.

Multiple tacacs-server host commands can be used to specify additional host servers. The Cisco IOS software searches for hosts in the order in which they’re specified. Use the single-connection, port, timeout, and key options only when running AAA/TACACS+ server.

Because some of the parameters of the tacacs-server host command override global settings made by the tacacs-server timeout and tacacs-server key commands, this command can be used to enhance security on a network by uniquely configuring individual TACACS+ connections.

The following example specifies a TACACS host named tac-serv1:

Rtr1(config)#aaa new-model 
Rtr1(config)#tacacs-server host tac-serv1

The next AAA example specifies that the router first try the CiscoSecure TACACS+ host 192.168.1.4. If 192.168.1.4 is unavailable, then use tac-serv1:

Rtr1(config)#aaa new-model 
Rtr1(config)#tacacs-server host 192.168.1.4
Rtr1(config)#tacacs-server host tac-serv1

The next AAA example specifies that the router consult the CiscoSecure TACACS+ host named 192.168.1.4 on port number 51. The timeout value for requests on this connection is three seconds. The encryption key is a_secret.

Rtr1(config)#aaa new-model 
Rtr1(config)#tacacs-server host 192.168.1.4 single-connection port 51 
 ????timeout 3 key a_secret
Define TACACS+ Server Key Option

After enabling AAA with the aaa new- model command, the authentication and encryption key must be set using the tacacs- server key global configuration command. Use the no form of this command to disable the key.

Rtr1(config)#tacacs-server key key
Rtr1(config)#no tacacs-server key [key]

key

A character entry, this key must match the key used on the TACACS+ daemon. Any leading spaces are ignored, but spaces within and at the end of the key aren’t ignored. Don’t enclose the key in quotation marks unless they’re part of the key.

The following example shows an AAA TACACS+ implementation with the authentication and encryption key set to seattle19:

Rtr1(config)#aaa new-model 
Rtr1(config)#tacacs-server host 192.168.1.4
Rtr1(config)#tacacs-server key seattle19

Define the Security Server—RADIUS

To specify a RADIUS server host, use the radius-server host global configuration command. Use the no form of this command to delete the specified RADIUS host. The syntax is

Rtr1(config)#radius-server host {hostname | ip-address} [auth-port port-number]
?[acct-port port-number] [timeout seconds] [retransmit retries] [key string]
?[alias{hostname | ip-address}]
Rtr1(config)#no radius-server host {hostname | ip-address} [auth-port port-number]
?[acct-port port-number] [timeout seconds] [retransmit retries] [key string]

hostname

DNS name of the RADIUS server.

ip-address

IP address of the RADIUS server.

auth-port

(Optional) To specify a UDP destination port for authentication requests.

port-number

(Optional) Port number for authentication requests. The host isn’t used for authentication if it’s set to 0.

acct-port

(Optional) To specify a UDP destination port for accounting requests.

port-number

(Optional) Port number for accounting requests. The host isn’t used for accounting if it’s set to 0.

Use multiple radius-server host commands to specify multiple hosts. The software searches for hosts in the order in which they’re specified.

The following example specifies host1 as the RADIUS server and uses default ports for both accounting and authentication.

Rtr1(config)#aaa new-model 
Rtr1(config)#radius-server host host1.domain.com

The next example defines port 12 as the destination port for authentication requests and port 16 as the destination port for accounting requests on a RADIUS host named 192.168.1.4. Because entering a line resets all the port numbers, you must specify a host and configure both the accounting and authentication ports on a single line.

Rtr1(config)#aaa new-model 
Rtr1(config)#radius-server host 192.168.1.4 auth-port 12 acct-port 16

To use separate servers for accounting and authentication, use the zero port value, as appropriate. The following example specifies that RADIUS server192.168.1.4 be used for accounting, but not for authentication, and that RADIUS server host1 be used for authentication, but not for accounting:

Rtr1(config)#aaa new-model 
Rtr1(config)#radius-server host 192.168.1.4 auth-port 0
Rtr1(config)#radius-server host host1.domain.com acct-port 0
Define RADIUS Server Key Option

After enabling AAA with the aaa new- model command, the authentication and encryption key must be set using the radius- server key global configuration command. Use the no form of this command to disable the key:

Rtr1(config)#radius-server key key Rtr1(config)#no radius-server key [key]

key

A character entry, this key must match the key used on the RADIUS daemon. Any leading spaces are ignored, but spaces within, and at the end of the key, aren’t ignored. Don’t enclose the key in quotation marks unless they’re part of the key.

The following example shows an AAA RADIUS implementation the authentication and encryption key set to seattle19:

Rtr1(config)#aaa new-model 
Rtr1(config)#radius-server host 192.168.1.4
Rtr1(config)#radius-server key seattle19

Authentication

Authentication is the way a user is identified prior to being allowed access to the network and network services. The authentication process can include a login and password dialog box, challenge and response, messaging support, and any encryption used.

You configure AAA authentication by defining a named list of authentication methods, and then applying that list to various interfaces. The method list defines the types of authentication to be performed and the sequence in which they’ll be performed. The method list must be applied to a specific interface before any of the defined authentication methods will be performed. The only exception is the default method list (which, by coincidence, is named “default”). The default method list is automatically applied to all interfaces if no other method list is defined. A defined method list overrides the default method list.

Steps to Configure AAA

Configuring AAA is relatively simple once the basic process is understood. The basic steps to configure AAA security on a Cisco router or access server are as follows:

  1. Enable AAA by using the aaa new-model global configuration command.

  2. If you decide to use a separate security server, such as RADIUS, TACACS+, or Kerberos, configure security protocol parameters to use the appropriate server(s).

  3. Define the method lists for authentication by using an aaa authentication command.

  4. Apply the method lists to a particular interface or line, if required.

  5. (Optional) Configure authorization using the aaa authorization command.

  6. (Optional) Configure accounting using the aaa accounting command.

You will look at Steps 3 and 4 in this section.

Define the Method Lists

After identifying the authentication server and defining an associated encryption key, now it’s time to define method lists for authentication. Use the aaa authentication command to name the list and define the authentication method in the order they’re to be tried.

The aaa authentication purpose command has several options, including the following implementations:

  • aaa authentication login Authentication at login

  • aaa authentication ppp Authentication methods for interfaces running PPP

  • aaa authentication nasi Authentication for Netware Asynchronous Services Interface

  • aaa authentication arap Authentication method for AppleTalk Remote Access protocol

The book and the exams will concentrate on the login and PPP options. The configuration is similar except for the method choices, which can be overcome by using the ? to display the options while configuring.

Define the Method Lists—Login

To set AAA authentication at login, use the aaa authentication login global configuration command. Use the no form of this command to disable AAA authentication. The syntax is

Rtr1(config)#aaa authentication login {default | list-name} method1 [method2...]
Rtr1(config)#no aaa authentication login {default | list-name} method1 [method2...]

default

Uses the listed authentication methods as the default list to be used when a user logs in

list-name

A character string used to name the list of authentication methods that can be specified to be used when a user logs in

method

At least one of the keywords described in the next table

The method argument identifies the list of methods the authentication algorithm tries, in the stated sequence. Method keywords are described in the following table.

Keyword

Description

group tacacs+

Use the list of all TACACS+ servers to authenticate services.

group radius

Use the list of all RADIUS servers to authenticate services.

group group-name

Use a subset of RADIUS or TACACS+ servers for authentication, as defined by the server group group-name.

local

Use the local user name database for authentication.

local-case

Use the case-sensitive local user name database for authentication.

Enable

Use enable password for authentication.

Line

Use the line password for authentication.

krb5

Use Kerberos 5 for authentication.

krb5-telnet

Use Kerberos 5 Telnet authentication protocol when using Telnet to connect to the router.

none

Use no authentication—no security.

The additional methods of authentication are used only if the preceding method returns an error, not if it fails. To ensure that the authentication succeeds, even if all methods return an error, specify none as the final method in the command line.

Implementing Authentication Method Lists

The authentication method lists are implemented on interfaces with the login authentication {default | list-name} command. If no list is implemented on an interface with the login authentication command, a default list to be used can be specified with the default keyword, followed by the methods.

If authentication isn’t specifically set for a line, the default is to deny access and no authentication is performed. Use the show running-config command to display currently configured lists of authentication methods.

The following example creates an AAA authentication list called XYZ-access. This authentication first tries to contact a TACACS+ server. If no server is found, TACACS+ returns an error and AAA tries to use the enable password. If this attempt also returns an error (because no enable password is configured on the server), the user is allowed access with no authentication.

Rtr1(config)#aaa new-model 
Rtr1(config)#tacacs-server host 192.168.1.4
Rtr1(config)#tacacs-server key seattle19
Rtr1(config)#aaa authentication login XYZ-access group tacacs+ enable none
Rtr1(config)#line vty 0 4
Rtr1(config-line)#login authentication XYZ-access

The following example creates the same list, but sets it as the default list that’s used for all login authentications if no other list is specified. It adds the local user name/password database as the second choice.

Rtr1(config)#username last password hope
Rtr1(config)#aaa new-model 
Rtr1(config)#tacacs-server host 192.168.1.4
Rtr1(config)#tacacs-server key seattle19
Rtr1(config)#aaa authentication login default group tacacs+ local enable none

Define the Authentication Method Lists—PPP

To set AAA authentication at login, use the aaa authentication ppp global configuration command. Use the no form of this command to disable AAA authentication. The syntax is

Rtr1(config)#aaa authentication ppp {default | list-name} method1 [method2...]
Rtr1(config)#no aaa authentication ppp {default | list-name} method1 [method2...]

default

Uses the listed authentication methods as the default list to be used when a user logs in

list-name

Character string used to name the list of authentication methods that can be specified to be used when a user logs in

method

At least one of the keywords described in the next table

The method argument identifies the list of methods the authentication algorithm tries, in the stated sequence. Method keywords are described in the following table.

Keyword

Description

group tacacs+

Use the list of all TACACS+ servers to authenticate services.

group radius

Use the list of all RADIUS servers to authenticate services.

group group-name

Use a subset of RADIUS or TACACS+ servers for authentication, as defined by the server group group-name.

local

Use the local user name database for authentication.

local-case

Use the case-sensitive local user name database for authentication.

Enable

Use enable password for authentication.

Line

Use the line password for authentication.

krb5

Use Kerberos 5 for authentication.

if-needed

Does not authenticate if the user has already been authenticated on a TTY line.

none

Use no authentication—no security.

The additional methods of authentication are used only if the preceding method returns an error, not if it fails. To ensure the authentication succeeds even if all methods return an error, specify none as the final method in the command line.

Implementing Authentication Method Lists

The PPP authentication method lists are implemented on interfaces with the ppp authentication {default | list-name} command. These lists contain up to four authentication methods that are used when a user tries to log in to the serial interface. If no list is implemented on an interface with the ppp authentication command, a default list to be used can be specified with the default keyword followed by the methods.

If authentication isn’t specifically set for a line, the default is to deny access and no authentication is performed. Use the show running-config command to display currently configured lists of authentication methods.

The following example uses the previous named list example and adds a PPP authentication list named PPP-access. This authentication first tries to contact a TACACS+ server. If no TACACS+ server is found, the user is allowed access with no authentication.

Rtr1(config)#aaa new-model 
Rtr1(config)#tacacs-server host 192.168.1.4
Rtr1(config)#tacacs-server key seattle19
Rtr1(config)#aaa authentication login XYZ-access group tacacs+ enable none
Rtr1(config)#aaa authentication ppp PPP-access group tacacs+ none
Rtr1(config)#interface serial 0/1
Rtr1(config-if)#encapsulation ppp
Rtr1(config-if)#ppp authentication ppp-access

The following example creates the same list, but sets it as the default list used for all login authentications if no other list is specified, and adds the if-needed method.

Rtr1(config)#username last password hope
Rtr1(config)#aaa new-model 
Rtr1(config)#tacacs-server host 192.168.1.4
Rtr1(config)#tacacs-server key seattle19
Rtr1(config)#aaa authentication login default group tacacs+ local enable none
Rtr1(config)#aaa authentication ppp default if-needed group tacacs+ none

Authorization

AAA authorization works by assembling a set of attributes that describe what the user is authorized to perform or access. These attributes are compared to the information contained in a database for a given user, and the result is returned to AAA to determine the user’s actual capabilities and restrictions. The database can be located locally on the access server or the router, or it can be stored remotely on a RADIUS or TACACS+ security server. Remote security servers, such as RADIUS and TACACS+, authorize users for specific rights by associating attribute-value (AV) pairs, which define those rights, with the appropriate user. All authorization methods must be defined through AAA.

As with authentication, you configure AAA authorization by defining a named list of authorization methods, and then applying that list to various interfaces.

Steps to Configure AAA

Configuring AAA is relatively simple once the basic process is understood. The basic steps to configure AAA security on a Cisco router or access server are

  1. Enable AAA by using the aaa new-model global configuration command.

  2. If you decide to use a separate security server, such as RADIUS, TACACS+, or Kerberos, configure security protocol parameters to use the appropriate server(s).

  3. Define the method lists for authentication by using an aaa authentication command.

  4. Apply the method lists to a particular interface or line, if required.

  5. (Optional) Configure authorization using the aaa authorization command.

  6. (Optional) Configure accounting using the aaa accounting command.

You will look at Step 5 in this section.

Define the Authorization Method Lists

Use the aaa authorization command to enable authorization and to create named methods lists, defining authorization methods that can be used when a user accesses the specified function. Method lists for authorization define the ways authorization will be performed and the sequence in which these methods will be performed.

A method list, as in authentication, is simply a named list describing the authorization methods to be queried (such as RADIUS or TACACS+), in sequence. Method lists enable one or more security protocols for authorization to be designated, thus ensuring a backup system in case the initial method fails. Cisco IOS software uses the first method listed to authorize users for specific network services. If that method fails to respond, the Cisco IOS software selects the next method listed in the method list. This process continues until successful communication occurs with a listed authorization method or all methods defined are exhausted.

Note?

The Cisco IOS software attempts authorization with the next listed method only when no response occurs from the previous method. If authorization fails at any point in this cycle (meaning the security server or local user name database responds by denying the user services), the authorization process stops and no other authorization methods are attempted.

Use the aaa authorization global configuration command to set parameters that restrict a user’s network access. Use the no form of this command to disable authorization for a function. The basic syntax is

Rtr1(config)#aaa authorization {authorization-type} {default | list-name} method1
[method2...]Rtr1(config)#no aaa authorization {authorization-type}

The first step is to choose which of the eight authorization types AAA supports is to be validated. The actual syntax and choices include

Rtr1(config)#aaa authorization {network | exec | commands level| reverse-access |
configuration | config-commands | auth-proxy | ipmobile}
?{default | list-name} method1 [method2...]

network

All network-related service requests, including SLIP, PPP, PPP NCPs, and ARAP.

exec

Is the user allowed to run an EXEC shell?

commands level

Specific command level to be authorized (0 through 15).

reverse-access

Reverse access connections, such as reverse Telnet.

configuration

Downloads the configuration from the AAA server.

config-commands

Configuration mode commands.

auth-proxy

Authentication Proxy Services.

Ipmobile

Mobile IP services.

Once the authorization type is selected, the rest is just like the authentication process.

default

Uses the listed authorization methods that follow this argument as the default list of methods for authorization

list-name

Character string used to name the list of authorization methods

method1 [method2...]

One of the keywords listed in the following table

The actual method lists are specific to the type of authorization being requested. The six methods Cisco IOS software supports for authorization are described in the following table.

Method

Description

group tacacs+

Uses the list of all TACACS+ servers to provide authorization services. TACACS+ authorization defines specific rights for users by associating attribute-value (AV) pairs, which are stored in a database on the TACACS+ security server, with the appropriate user.

group radius

Uses the list of all RADIUS servers to provide authorization service. RADIUS authorization defines specific rights for users by associating attributes, which are stored in a database on the RADIUS server.

if-authenticated

Allows the user to access the requested function if the user is authenticated.

local

Uses the local database for authorization, as defined by the user name command, to authorize specific rights for users. Only a limited set of functions can be controlled by the local database.

krb5-instance

Uses the instance defined by the Kerberos Instance Map command.

none

The NAS doesn’t request authorization information. Authorization isn’t performed over this line/interface.

When creating a named method list, a particular list of authorization methods for the indicated authorization type is defined. Once defined, method lists must be applied to specific lines or interfaces, as with authentication, before any of the defined methods will be performed. The authorization command causes a request packet, containing a series of AV pairs, to be sent to the RADIUS or TACACS+ daemon as part of the authorization process. The daemon can do one of the following:

  • Accept the request as is.

  • Make changes to the request.

  • Refuse the request and refuse authorization.

Implementing Authorization Method Lists

To configure AAA authorization using named method lists, perform the following tasks beginning in Global Configuration mode:

Task

Command

Create an authorization method list for an authorization type and enable authorization.

aaa authorization {authorization-type} list-name [method1 [method2...] ]

Enter Line Configuration mode on which you want to apply the authorization method list. or Enter the Interface Configuration mode for the interfaces to which you want to apply the authorization method list.

line [aux | console | tty | vty] line-number [ending-line-number] or interface interface-type interface-number

Apply the authorization list to the line(s). or Apply the authorization list to the interface.

authorization {authorization-type} list-name or ppp authorization list-name

The following example defines the network authorization method list named XYZ-auth, which specifies TACACS+ authorization will be used on serial lines using PPP. If the TACACS+ server fails to respond, the local network authorization will be performed.

Rtr1(config)#aaa new-model 
Rtr1(config)#tacacs-server host 192.168.1.4
Rtr1(config)#tacacs-server key seattle19
Rtr1(config)#aaa authentication login XYZ-access group tacacs+ enable none
Rtr1(config)#aaa authentication ppp PPP-access group tacacs+ none
Rtr1(config)#aaa authorization network xyz-auth group tacacs+ local
Rtr1(config)#interface serial 0/1
Rtr1(config-if)#encapsulation ppp
Rtr1(config-if)#ppp authentication ppp-access
Rtr1(config-if)#ppp authorization xyz-auth

Accounting

Accounting enables you to track the services users are accessing, as well as the amount of network resources they’re consuming. When AAA accounting is activated, the NAS reports user activity to the TACACS+ or RADIUS security server (depending on which security method you have implemented) in the form of accounting records. Each accounting record is comprised of accounting AV pairs and is stored on the access control server. This data can then be analyzed for network management, client billing, and/or auditing. All accounting methods must be defined through AAA. As with authentication and authorization, you can configure AAA accounting by defining a named list of accounting methods, and then applying that list to various interfaces.

Steps to Configure AAA

Configuring AAA is relatively simple once the basic process is understood. The basic steps to configure AAA security on a Cisco router or access server are the following:

  1. Enable AAA by using the aaa new-model global configuration command.

  2. If you decide to use a separate security server, such as RADIUS, TACACS+, or Kerberos, configure security protocol parameters to use the appropriate server(s).

  3. Define the method lists for authentication by using an aaa authentication command.

  4. Apply the method lists to a particular interface or line, if required.

  5. (Optional) Configure authorization using the aaa authorization command.

  6. (Optional) Configure accounting using the aaa accounting command.

You will look at Step 6 in this section.

Define the Accounting Method Lists

When aaa accounting is activated, the NAS monitors either RADIUS accounting attributes or TACACS+ AV pairs pertinent to the connection, depending on the security method you implemented. The NAS reports these attributes as accounting records, which are then stored in an accounting log on the security server. The aaa accounting command enables accounting and enables you to create named method lists defining specific accounting methods on a per-line or per-interface basis. Use the no form of this command to disable accounting. The basic syntax is

Rtr1(config)#aaa accounting {accounting-type} {default | list-name} {accounting-method}
?method1 [method2...]

Rtr1(config)#no aaa accounting {accounting-type}

The first step is to choose which of the eight authorization types that AAA supports should be validated. The syntax and choices include

Rtr1(config)# aaa accounting {system | network | exec | connection | commands level | nested
| update} {default | list-name} {accounting-method} method1 [method2...]

system

All system-level events not associated with users, such as reloads. Don’t use named accounting lists, only use the default list for system accounting.

network

All network-related service requests, including SLIP, PPP, PPP NCPs, and ARAP.

exec

Creates accounting records about user EXEC terminal sessions on the NAS, including user name, date, start, and stop times.

connection

All outbound connections from the NAS, such as Telnet, local-area transport (LAT), TN3270, packet assembler/disassembler (PAD), and rlogin.

commands level

Specific command level to track for accounting (0 through 15).

nested

Provides accounting when starting PPP from EXEC, generate NETWORK records before EXEC-STOP record.

update

Enables periodic interim accounting records to be sent to the accounting server.

Once the accounting type is selected, you must specify the accounting method to be used in recording the results. The syntax and choices include

Rtr1(config)#aaa accounting {accounting-type} {default | list-name} {start-stop | wait-start |
?stop-only | none} method1 [method2...]

start-stop

Sends a start accounting notice at the beginning of a process and a stop accounting notice at the end of a process. The start accounting record is sent in the background. The requested user process begins, regardless of whether the start accounting notice was received by the accounting server.

wait-start

Sends both a start and a stop accounting notice to the accounting server. But, if the wait-start keyword is used, the requested user service does not begin until the start accounting notice is acknowledged.

stop-only

Sends a stop accounting notice at the end of the requested user process.

None

Disables accounting services on this line or interface.

For minimal accounting, use the stop-only keyword. For more detailed accounting, include the start-stop keyword. For even more accounting control, include the wait-start keyword, which ensures the start notice is received by the RADIUS or TACACS+ server before granting the user’s process request.

When aaa accounting is activated, the network access server monitors either RADIUS accounting attributes or TACACS+ AV pairs pertinent to the connection, depending on the security method implemented. The network access server reports these attributes as accounting records, which are then stored in an accounting log on the security server. The default | list-name and method options are just like in the authentication and authorization process. Individual named accounting method lists are specific to the indicated accounting type. System accounting doesn’t use named accounting lists. Only the default list for system accounting can be defined.

default

Uses the listed accounting methods that follow this argument as the default list of methods for accounting

list-name

Character string used to name the list of accounting methods

method1 [method2...]

One of the keywords listed in the following table

Accounting method keywords are described in the following table.

Keyword

Description

group tacacs+

Uses the list of all TACACS+ servers to provide authorization services. The NAS reports user activity to the TACACS+ security server in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server.

group radius

Uses the list of all RADIUS servers to provide authorization service. The NAS reports user activity to the RADIUS security server in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server.

group | group-name

Uses a subset of RADIUS or TACACS+ servers for accounting, as defined by the server group group-name.

Method lists for accounting define the way accounting will be performed. Named accounting method lists enable the option to designate a particular security protocol to be used on specific lines or interfaces for particular types of accounting services.

Implementing Accounting Method Lists

AAA accounting is disabled by default. If the aaa accounting command for a particular accounting type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines (where this accounting type applies), except those with a named method list explicitly defined. (A defined method list always overrides the default method list.) If no default method list is defined, then no accounting takes place.

To configure AAA accounting using named method lists, perform the following tasks beginning in Global Configuration mode:

Task

Command

Create an accounting method list and enable accounting.

aaa accounting {accounting-type} list-name {accounting-method} method1 [method2...]

Enter Line Configuration mode on which you want to apply the accounting method list. or Enter the Interface Configuration mode for the interfaces to which you want to apply the accounting method list.

line [aux | console | tty | vty] line-number [ending-line-number] or interface interface-type interface-number

Apply the accounting list to the line(s). or Apply the accounting list to the interface.

aaa accounting {accounting-type} list-name or ppp accounting list-name

The following example defines the network accounting method list named XYZ-acct



BackCover
CCSP - Cisco Certified Security Professional Certification All-in-One Exam Guide
Introduction
Part I: Introduction to Network Security
Part II: Securing the Network Perimeter
Chapter 3: Cisco AAA Security Technology
The Cisco AAA Model
AAA System Components
Testing AAA Configuration
Chapter Review
Chapter 4: Cisco Secure ACS and TACACS+/RADIUS Technologies
Chapter 5: Securing Cisco Perimeter Routers
Chapter 6: IOS Firewall Feature Set - CBAC
Chapter 7: IOS Firewall - Intrusion Detection System
Chapter 8: IOS Firewall - Authentication Proxy
Part III: Virtual Private Networks (VPNs)
Part IV: PIX Firewalls
Part V: Intrusion Detection Systems (IDS)
Part VI: Cisco SAFE Implementation
Appendix A: Access Control Lists
Appendix B: About the CD
List of Figures
List of Tables
List of Sidebars