After you have configured authentication or authorization, you are ready to configure accounting. AAA accounting is used to keep track of AAA transactions and events that occur on your router, such as when a user logs in or out of the router, or what commands the user has executed. This can be used as an audit trail to enhance your security as a change-management system (keeping track of the changes that people are making on your router).
NOTE
Note that accounting is optional. You need to configure accounting only if you want to keep a log file of AAA transactions and events on your router.
As with authentication and authorization, you need to specify two things when setting up AAA accounting: what you want to capture accounting information on and the method lists that define where to send it.
Here is a list of the types of things that you can create accounting records for:
Commands? This accounting method provides information about what commands a user executed, including user and privileged EXEC and configuration mode commands.
Connection? This accounting method provides information about connections made from the router, such as an administrator Telnetting from the router to another device. Connections include Telnet, LAT, TN32760, PAD, and rlogin. Accounting information captured includes the user's username, the date and time that each command was executed, and the command executed.
EXEC? This accounting method provides information about EXEC sessions started on the router. This information includes the user's name, the date with start and stop times, and the IP address of the user's device.
Network? This accounting method provides information about dialup connections, such as PPP and SLIP (this is not covered in this book). The information captured includes the number of packets and bytes for the network connection.
Resource? This accounting method is used for dialup connections and displays resource information about the phone calls (this is not covered in this book).
System? This accounting method provides information about system-level events, such as an interface going up or down, the router being reloaded, or accounting being enabled or disabled.
NOTE
Cisco's implementation of RADIUS does not support command accounting; you must use TACACS+ for this function.
The previous list displays the kind of information that you can capture for accounting. What the router does with this information is defined by your method lists. With accounting, there are only two method lists:
RADIUS
TACACS+
Unfortunately, this means that you cannot log accounting information locally on the router or to a syslog server. Instead, the Cisco IOS uses an AAA security server to log the accounting information.
Now take a look at setting up AAA accounting on your router. As mentioned in the last section, accounting requires the use of an external security server using either the TACACS+ or RADIUS communications security protocols. Therefore, you need to do the following things first:
After you have done these things, you are ready to set up accounting. Here is the command syntax to configure accounting:
Router(config)# aaa accounting {system | network | exec | connection | commands level_#} {default | list_name} {start-stop | stop-only | none} [method1 [method2...]] Router(config)# line [aux | console | tty | vty] line_# [ending_line_#] Router(config-line)# accounting {arap | commands level_# | connection | exec} {default | list_name} Router(config)# interface type [slot_#/]port_# Router(config-if)# ppp accounting {default | list_name}
Enabling accounting requires the use of the aaa accounting command. Table 5-4 lists the six services that you can enable accounting for.
Service Keyword | Description |
---|---|
system | Enables accounting to capture system-level events, such as an interface status changing or the router reloading (only the default method list is supported for this service) |
network | Enables accounting for all network services, such as SLIP, PPP, NCP, and ARAP |
exec | Enables accounting for EXEC sessions, listing what users logged in and when they logged into and out of the router |
connection | Enables accounting for outbound connections from the router, such as Telnet and TN3270 |
commands level_# | Enables accounting for commands, listing the commands (and their privilege levels) that were executed by a user |
resource | Enables accounting for dialup connections, listing resource information for them |
Following the service is the keyword default or the name of the method list. With the exception of system, all accounting services can be enabled or disabled on a line or interface basis. With these accounting services, you can specify a unique name for the method list and associate it with the appropriate line or interface, thereby restricting the accounting information that you gather. For example, you could enable the commands service for VTY connections, but not for other types of access.
After you have entered the default parameter or method list, you need to define how accounting records should be created. You can use these keywords:
start-stop? Create an accounting record at the beginning and end of the event. For example, with an outbound Telnet, the Cisco IOS would create a starting accounting record when the user establishes a Telnet connection, and then an ending accounting record when the user terminates the connection.
stop-only? Create an accounting record only at the end of the user process. For example, for an outbound Telnet connection, an accounting record is created only when the user terminates the Telnet connection.
none? Disables accounting for the specified accounting service.
wait-start? As with start-stop, an accounting record is generated at the beginning and end of the service; however, the service is not started until the router successfully can log the beginning accounting record with the AAA server. This is useful if you want extra protection and require a log of actions before the action takes place.
NOTE
Note that the wait-start parameter was removed in Cisco IOS 12.1 and later, and no longer is supported.
As mentioned in the last section, only two listed methods are supported for accounting: RADIUS and TACACS+. You can use these keywords for these methods:
group radius
group tacacs+
group AAA_server_group_name
These previously were discussed in the "Authentication" and "Authorization" sections.
Using a named method list, you can associate that list with either a line or an interface. On a line, use the accounting command, specifying the service that you want to create accounting information for, as well as the name of the accounting service. If you do not use this command, the default method list is used. On interfaces, only network PPP connection information can be gathered.
In some situations, accounting generates accounting records when no username is involved?a null username. For example, you might have configured AAA for login authentication (aaa authentication login) and specified two methods in your list: a TACACS+ AAA server and none. In this situation, the TACACS+ server is used to perform authentication; if it is not available, authentication is not performed. Assume that you have another AAA server running RADIUS that handles all accounting functions. When a user attempts to authenticate and the TACACS+ server is not available, the user is allowed access to the router (this probably was restricted to only the console port) because of the none method. In this situation, the user accessing the router did not have to supply a username for this method because no authentication is required (none method). However, accounting still generates an accounting record, using a null username. If you desire, you can suppress these accounting records with the following command:
Router(config)# aaa accounting suppress null-username
One of the initial limitations of AAA accounting is that all records were sent to the primary AAA server. If you wanted multiple AAA servers to receive the accounting information, the router would send the information to the primary AAA server, and the primary server would forward it to other AAA servers. As of 12.1(1)T, the Cisco IOS simultaneously can forward accounting information to up to four AAA servers. Imagine an AAA accounting server that must handle accounting information for 2000 or 3000 routers. Using the old method would place a heavy burden on the AAA server. The new broadcast solution is especially useful because it reduces the burden on the primary accounting server and places it on the routers sending accounting information.
Enabling the broadcast function is simple. First, create a list of AAA servers of the same type. Optionally, you can put them into an AAA server group, but this is not necessary. When configuring your aaa accounting commands, insert the broadcast parameter before your list of methods, like this:
Router(config)# aaa accounting {system | network | exec | connection | commands level_#} {default | list_name} {start-stop | stop-only | (none} broadcast [method1 [method2...]]
You use two basic commands for troubleshooting AAA accounting problems: show accounting and debug aaa accounting. Note that, depending on the Cisco IOS version, you have to use either the show accounting command or its replacement, the show aaa user all command.
The show accounting command lists a summarized view of each accounting record in the router's buffer, as well as a summarization of the types of accounting records. For more detailed troubleshooting of accounting, use the debug aaa accounting command, as displayed in Example 5-9.
Router# debug aaa accounting
Sep 17 14:48:33.011: AAA/ACCT/EXEC(00000005): Pick
method list 'default'
Sep 17 14:48:33.011: AAA/ACCT/SETMLIST(00000005): Handle 0,
mlist 81CA79CC, Name default
Sep 17 14:48:33.011: Getting session id for EXEC(00000005)
: db=82099258
Sep 17 14:48:33.011: AAA/ACCT/EXEC(00000005): add, count 2
Sep 17 14:48:33.011: AAA/ACCT/EVENT/(00000005): EXEC UP
In this example, the default method was used, as shown in the second line of output ('default'). In the middle and bottom of the display, you can see that a user successfully gained access to the router's EXEC shell.
Now that you understand how to use basic AAA accounting commands, take a look at a simple configuration. This builds upon Example 5-6 and Example 5-8 used in the "Authentication Example" and "Authorization Example" sections. Example 5-10 shows a sample configuration for accounting.
Router(config)# aaa accounting commands 15 default stop-only group aaatacgroup broadcast Router(config)# aaa accounting system default stop-only group aaatacgroup broadcast Router(config)# aaa accounting connection default stop-only group aaatacgroup broadcast Router(config)# aaa accounting exec default stop-only group aaatacgroup broadcast
In this example, aaatacgroup, which contains two TACACS+ servers, is handling the accounting functions. Notice that I used the broadcast parameter, ensuring that the AAA accounting information is sent from the router directly to both servers. In this configuration, accounting records are created when a user executes privilege level 15 commands, a system event occurs, a user tries to connect to a remote device, or a user tries to gain access to an EXEC shell.