|
|
Accounting is the third major function, after authentication and authorization, in a security system. Accounting can be used by network administrators to bill departments or customers for connection time. Accounting also enables administrators to track suspicious connection attempts into the network.
This chapter contains information about the CiscoSecure Access Control Server (ACS) software accounting database file and how to enable accounting using the software.
The following section are included:
For more information on how the accounting database is set up, refer to the appendix "CiscoSecure ACS Database Structure."
To use the CiscoSecure ACS accounting feature, accounting must be enabled on the network access server (NAS). Confirm that the following two lines reside in the NAS configuration file:
aaa accounting exec start-stop tacacs+ aaa accounting network start-stop tacacs+
This section presents accounting information that applies only if you are using the TACACS+ protocol.
For the TACACS+ protocol, all accounting data is stored in the relational database management system (RDBMS). From the RDBMS tables, you can run a special tool (described in the section "Extracting Key Accounting Data" later in this chapter) to export the accounting data to an ASCII file.
Caution When you specify any kind of accounting, the database will log every transaction. Depending on the number of transactions and the size of your database, the log file can expand and very quickly fill up your disk. For details, see the sections "Extracting Key Accounting Data" and "Displaying Group Membership for Accounting" later in this chapter.
Use the AccountExport tool to extract the accounting data to a text file. An accounting record for TACACS+ is structured like the following example:
char nas_name[] /* NAS name */ char user_name[] /* username */ char port_name[] /* port the connection is on */ char remote_address[] /* where the user connected from */ char record_type[] /* (start, update, stop etc) */ char server[] /* hostname of the server, as an AV pair */ char time[] /* time of this record, as an AV pair */ char date[] /* date of this record, as an AV pair */ char attribute_value_pairs[] /* there are an arbitrary number of these */
Each accounting record is terminated by the newline character (\n); record lengths are not fixed. All numeric values in attribute_value_pair strings are sent and recorded as decimal ASCII numbers. The accounting record file consists of a sequence of such records, written to stable storage on a periodic, configurable basis.
The following is sample output of the accounting system (with each line wrapped to fit onto the page):
Before each write operation, the CiscoSecure ACS software checks the accounting file to see if its filename has changed and, if it has, the existing accounting file is closed and a new copy of the file is opened. This prevents any loss of data when you are archiving accounting data while the CiscoSecure ACS software is running.
This section presents accounting information that applies if you are using the RADIUS protocol.
The following examples show typical RADIUS accounting packets. The RADIUS server must be configured to record accounting packets to the RDBMS in order for the raw RADIUS accounting packet to follow this accounting structure. You can configure the RDBMS using the web-based interface. See the chapter, "Configuring the NAS for RADIUS" for more instructions.
The following is a typical example of a start packet for RADIUS:
Max1 ascchap 10119 5553025 start server=sand time=10:43:06 date=04/08/97 task_id=228932705 Tue Apr 8 11:43:06 1997 User-Name = "ascchap" NAS-Identifier = 200.200.200.179 NAS-Port = 10119 Acct-Status-Type = Start Acct-Delay-Time = 0 Acct-Session-Id = "228932705" Acct-Authentic = RADIUS Caller-Id = "5553025" Client-Port-DNIS = "7149991111" Framed-Protocol = PPP Framed-Address = 100.100.100.100
The following is a typical example of a stop packet for RADIUS:
Max1 ascchap 10119 5553025 stop server=sand time=10:43:16 date=04/08/97 task_id=228932705 Tue Apr 8 11:43:16 1997 User-Name = "ascchap" NAS-Identifier = 200.200.200.179 NAS-Port = 10119 Acct-Status-Type = Stop Acct-Delay-Time = 0 Acct-Session-Id = "228932705" Acct-Authentic = RADIUS Acct-Session-Time = 10 Acct-Input-Octets = 182 Acct-Output-Octets = 231 Acct-Input-Packets = 10 Acct-Output-Packets = 11 Ascend-Disconnect-Cause = 185 Ascend-Connect-Progress = 60 Ascend-Data-Rate = 64000 Ascend-PreSession-Time = 1 Ascend-Pre-Input-Octets = 182 Ascend-Pre-Output-Octets = 231 Ascend-Pre-Input-Packets = 10 Ascend-Pre-Output-Packets = 11 Ascend-Multilink-ID = 30 Ascend-Num-In-Multilink = 0 Caller-Id = "5553025" Client-Port-DNIS = "7149991111" Framed-Protocol = PPP Framed-Address = 100.100.100.100
These packets can be viewed from a text editor and provide the current status (including password attributes and user values) of the user or group sending the data.
Most RADIUS attribute-value pairs have equivalents in TACACS+, but they differ slightly. For example, the TACACS+ attribute event_id is equivalent to the RADIUS attribute acctg-session-id. See the appendix "RADIUS Attribute-Value Pairs and Dictionary Management" for more information, including a table comparing RADIUS and TACACS+ attributes.
To help you prepare financial records, the CiscoSecure ACS provides a special tool called AcctExport that exports raw accounting data from the RDBMS table into an external file. The AcctExport is especially helpful if you were using CiscoSecure ACS 1.x and have a system to output accounting data to a specified file for later processing.
The information in this section applies to both TACACS+ and RADIUS.
To run the AcctExport tool:
Step 1 Change directories as follows:
cd $BASEDIR/utils/bin
$BASEDIR refers to your CiscoSecure ACS install directory.
Step 2 Run AcctExport as follows:
./AcctExport filename [no_truncate ][clean]This command outputs all of your accounting data into the specified filename. If the file already exists, then its contents will be overwritten.
The filename is required and refers to the path name of the target file. When there is no option other than filename, AcctExport will export all accounting records (except the start records for the active sessions) to the file, then remove the records from the accounting tables. CiscoSecure is not required to be offline for this operation.
The no_truncate option directs the tool to behave in the manner as the default option except that no records from the tables will be removed. If the clean option is specified, the tool exports all the accounting records present in the tables (regardless of active or non-active sessions) to the external file and deletes them from the tables. The tool will also reset the sequence numbers used for accounting records by the CiscoSecure DBServer. The sequence numbers are used to identify each accounting record and user sessions. These numbers are in the range from 1 to 2,147,483,647. The current sequence numbers can be obtained from the cs_id table. When using this option, make sure either CiscoSecure is off-line or the accounting is turned off.
Accounting tables will not be emptied completely if default option is used and there are active sessions.
If you selected an option other than none or file for the Accounting field in the Servers page of the Java-based CiscoSecure Administrator advanced configuration program (See the section, "Managing RADIUS Settings on the ACS" in the chapter, "ACS and NAS Management "), the CiscoSecure ACS software can add a field to each accounting record that will indicate the immediate group membership of the corresponding user. In this way, accounting organizations can easily know whether to adjust billing information according to the user's group association.
The ability to display group membership for billing and accounting is achieved by enabling the accounting feature on the NAS and by enabling the accounting member attribute in the CiscoSecure ACS web-based interface, as follows:
Step 1 Start the CiscoSecure Administrator advanced configuration program, click the Members tab and deselect Browse.
Step 2 In the Browser pane, do one of the following:
Step 3 Select the Profile icon to display the Options menu.
Step 4 In the Options menu, select Accounting Function.
Step 5 Click Apply.
Step 6 Select the Accounting Function icon in the upper part of the Profile window. account_member_fn appears in the accounting field.
Step 7 Click Apply.
|
|