|
|
Cisco IOS Release 11.3 supports five different kinds of accounting:
Command accounting provides information about the EXEC shell commands for a specified privilege level that are being executed on a network access server. Each command accounting record includes a list of the commands executed for that privilege level, as well as the date and time each command was executed, and the user who executed it.
The following example shows the information contained in a TACACS+ command accounting record for privilege level 1:
Wed Jun 25 03:46:47 1997 172.16.25.15 dpeng tty3 4082329430/4327528 stop task_id=3 service=shell priv-lvl=1 cmd=show versionWed Jun 25 03:46:58 1997 172.16.25.15 dpeng tty3 4082329430/4327528 stop task_id=4 service=shell priv-lvl=1 cmd=show interfaces Ethernet 0 Wed Jun 25 03:47:03 1997 172.16.25.15 dpeng tty3 4082329430/4327528 stop task_id=5 service=shell priv-lvl=1 cmd=show ip route
The following example shows the information contained in a TACACS+ command accounting record for privilege level 15:
Wed Jun 25 03:47:17 1997 172.16.25.15 dpeng tty3 4082329430/4327528 stop task_id=6 service=shell priv-lvl=15 cmd=configure terminalWed Jun 25 03:47:21 1997 172.16.25.15 dpeng tty3 4082329430/4327528 stop task_id=7 service=shell priv-lvl=15 cmd=interface Serial 0 Wed Jun 25 03:47:29 1997 172.16.25.15 dpeng tty3 4082329430/4327528 stop task_id=8 service=shell priv-lvl=15 cmd=ip address 1.1.1.1 255.255.255.0
Connection accounting provides information about all outbound connections made from the network access server, such as Telnet, local-area transport (LAT), tn3270, packet assembler-disassembler (PAD), and rlogin.
The following example shows the information contained in a RADIUS connection accounting record for an outbound Telnet connection:
Wed Jun 25 04:28:00 1997
NAS-IP-Address = "172.16.25.15"
NAS-Port = 2
User-Name = "dpeng"
Client-Port-DNIS = "4327528"
Caller-ID = "4082329477"
Acct-Status-Type = Start
Acct-Authentic = RADIUS
Service-Type = Login
Acct-Session-Id = "00000008"
Login-Service = Telnet
Login-IP-Host = "171.68.202.158"
Acct-Delay-Time = 0
User-Id = "dpeng"
NAS-Identifier = "172.16.25.15"
Wed Jun 25 04:28:39 1997
NAS-IP-Address = "172.16.25.15"
NAS-Port = 2
User-Name = "dpeng"
Client-Port-DNIS = "4327528"
Caller-ID = "4082329477"
Acct-Status-Type = Stop
Acct-Authentic = RADIUS
Service-Type = Login
Acct-Session-Id = "00000008"
Login-Service = Telnet
Login-IP-Host = "171.68.202.158"
Acct-Input-Octets = 10774
Acct-Output-Octets = 112
Acct-Input-Packets = 91
Acct-Output-Packets = 99
Acct-Session-Time = 39
Acct-Delay-Time = 0
User-Id = "dpeng"
NAS-Identifier = "172.16.25.15"
The following example shows the information contained in a TACACS+ connection accounting record for an outbound Telnet connection:
Wed Jun 25 03:47:43 1997 172.16.25.15 dpeng tty3 4082329430/4327528 start task_id=10 service=connection protocol=telnet addr=171.68.202.158 cmd=telnet dpeng-sun Wed Jun 25 03:48:38 1997 172.16.25.15 dpeng tty3 4082329430/4327528 stop task_id=10 service=connection protocol=telnet addr=171.68.202.158 cmd=telnet dpeng-sun bytes_in=4467 bytes_out=96 paks_in=61 paks_out=72 e lapsed_time=55
The following example shows the information contained in a RADIUS connection accounting record for an outbound rlogin connection:
Wed Jun 25 04:29:48 1997
NAS-IP-Address = "172.16.25.15"
NAS-Port = 2
User-Name = "dpeng"
Client-Port-DNIS = "4327528"
Caller-ID = "4082329477"
Acct-Status-Type = Start
Acct-Authentic = RADIUS
Service-Type = Login
Acct-Session-Id = "0000000A"
Login-Service = Rlogin
Login-IP-Host = "171.68.202.158"
Acct-Delay-Time = 0
User-Id = "dpeng"
NAS-Identifier = "172.16.25.15"
Wed Jun 25 04:30:09 1997
NAS-IP-Address = "172.16.25.15"
NAS-Port = 2
User-Name = "dpeng"
Client-Port-DNIS = "4327528"
Caller-ID = "4082329477"
Acct-Status-Type = Stop
Acct-Authentic = RADIUS
Service-Type = Login
Acct-Session-Id = "0000000A"
Login-Service = Rlogin
Login-IP-Host = "171.68.202.158"
Acct-Input-Octets = 18686
Acct-Output-Octets = 86
Acct-Input-Packets = 90
Acct-Output-Packets = 68
Acct-Session-Time = 22
Acct-Delay-Time = 0
User-Id = "dpeng"
NAS-Identifier = "172.16.25.15"
The following example shows the information contained in a TACACS+ connection accounting record for an outbound rlogin connection:
Wed Jun 25 03:48:46 1997 172.16.25.15 dpeng tty3 4082329430/4327528 start task_id=12 service=connection protocol=rlogin addr=171.68.202.158 cmd=rlogin dpeng-sun /user dpeng Wed Jun 25 03:51:37 1997 172.16.25.15 dpeng tty3 4082329430/4327528 stop task_id=12 service=connection protocol=rlogin addr=171.68.202.158 cmd=rlogin dpeng-sun /user dpeng bytes_in=659926 bytes_out=138 paks_in=2378 paks_ out=1251 elapsed_time=171
The following example shows the information contained in a TACACS+ connection accounting record for an outbound LAT connection:
Wed Jun 25 03:53:06 1997 172.16.25.15 dpeng tty3 4082329430/4327528 start task_id=18 service=connection protocol=lat addr=VAX cmd=lat VAX Wed Jun 25 03:54:15 1997 172.16.25.15 dpeng tty3 4082329430/4327528 stop task_id=18 service=connection protocol=lat addr=VAX cmd=lat VAX bytes_in=0 bytes_out=0 paks_in=0 paks_out=0 elapsed_time=6
EXEC accounting provides information about user EXEC terminal sessions (user shells) on the network access server, including user name, date, start and stop times, the access server IP address, and (for dial-in users) the telephone number the call originated from.
The following example shows the information contained in a RADIUS EXEC accounting record for a dial-in user:
Wed Jun 25 04:26:23 1997
NAS-IP-Address = "172.16.25.15"
NAS-Port = 1
User-Name = "dpeng"
Client-Port-DNIS = "4327528"
Caller-ID = "4082329483"
Acct-Status-Type = Start
Acct-Authentic = RADIUS
Service-Type = Exec-User
Acct-Session-Id = "00000006"
Acct-Delay-Time = 0
User-Id = "dpeng"
NAS-Identifier = "172.16.25.15"
Wed Jun 25 04:27:25 1997
NAS-IP-Address = "172.16.25.15"
NAS-Port = 1
User-Name = "dpeng"
Client-Port-DNIS = "4327528"
Caller-ID = "4082329483"
Acct-Status-Type = Stop
Acct-Authentic = RADIUS
Service-Type = Exec-User
Acct-Session-Id = "00000006"
Acct-Session-Time = 62
Acct-Delay-Time = 0
User-Id = "dpeng"
NAS-Identifier = "172.16.25.15"
The following example shows the information contained in a TACACS+ EXEC accounting record for a dial-in user:
Wed Jun 25 03:46:21 1997 172.16.25.15 dpeng tty3 4082329430/4327528 start task_id=2 service=shell Wed Jun 25 04:08:55 1997 172.16.25.15 dpeng tty3 4082329430/4327528 stop task_id=2 service=shell elapsed_time=1354
The following example shows the information contained in a RADIUS EXEC accounting record for a Telnet user:
Wed Jun 25 04:48:32 1997
NAS-IP-Address = "172.16.25.15"
NAS-Port = 26
User-Name = "dpeng"
Caller-ID = "171.68.202.158"
Acct-Status-Type = Start
Acct-Authentic = RADIUS
Service-Type = Exec-User
Acct-Session-Id = "00000010"
Acct-Delay-Time = 0
User-Id = "dpeng"
NAS-Identifier = "172.16.25.15"
Wed Jun 25 04:48:46 1997
NAS-IP-Address = "172.16.25.15"
NAS-Port = 26
User-Name = "dpeng"
Caller-ID = "171.68.202.158"
Acct-Status-Type = Stop
Acct-Authentic = RADIUS
Service-Type = Exec-User
Acct-Session-Id = "00000010"
Acct-Session-Time = 14
Acct-Delay-Time = 0
User-Id = "dpeng"
NAS-Identifier = "172.16.25.15"
The following example shows the information contained in a TACACS+ EXEC accounting record for a Telnet user:
Wed Jun 25 04:06:53 1997 172.16.25.15 dpeng tty26 171.68.202.158 starttask_id=41 service=shell Wed Jun 25 04:07:02 1997 172.16.25.15 dpeng tty26 171.68.202.158 stoptask_id=41 service=shell elapsed_time=9
Network accounting provides information for all PPP, SLIP or ARAP sessions, including packet and byte counts.
The following example shows the information contained in a RADIUS network accounting record for a PPP user who comes in through an EXEC session:
Wed Jun 25 04:44:45 1997
NAS-IP-Address = "172.16.25.15"
NAS-Port = 5
User-Name = "dpeng"
Client-Port-DNIS = "4327528"
Caller-ID = "408"
Acct-Status-Type = Start
Acct-Authentic = RADIUS
Service-Type = Exec-User
Acct-Session-Id = "0000000D"
Acct-Delay-Time = 0
User-Id = "dpeng"
NAS-Identifier = "172.16.25.15"
Wed Jun 25 04:45:00 1997
NAS-IP-Address = "172.16.25.15"
NAS-Port = 5
User-Name = "dpeng"
Client-Port-DNIS = "4327528"
Caller-ID = "408"
Acct-Status-Type = Start
Acct-Authentic = RADIUS
Service-Type = Framed
Acct-Session-Id = "0000000E"
Framed-IP-Address = "10.1.1.2"
Framed-Protocol = PPP
Acct-Delay-Time = 0
User-Id = "dpeng"
NAS-Identifier = "172.16.25.15"
Wed Jun 25 04:47:46 1997
NAS-IP-Address = "172.16.25.15"
NAS-Port = 5
User-Name = "dpeng"
Client-Port-DNIS = "4327528"
Caller-ID = "408"
Acct-Status-Type = Stop
Acct-Authentic = RADIUS
Service-Type = Framed
Acct-Session-Id = "0000000E"
Framed-IP-Address = "10.1.1.2"
Framed-Protocol = PPP
Acct-Input-Octets = 3075
Acct-Output-Octets = 167
Acct-Input-Packets = 39
Acct-Output-Packets = 9
Acct-Session-Time = 171
Acct-Delay-Time = 0
User-Id = "dpeng"
NAS-Identifier = "172.16.25.15"
The following example shows the information contained in a TACACS+ network accounting record for a PPP user who first started an EXEC session:
Wed Jun 25 04:00:35 1997 172.16.25.15 dpeng tty4 408/4327528 starttask_id=28 service=shell Wed Jun 25 04:00:46 1997 172.16.25.15 dpeng tty4 408/4327528 starttask_id=30 addr=10.1.1.1 service=ppp Wed Jun 25 04:00:49 1997 172.16.25.15 dpeng tty4 408/4327528 update task_id=30 addr=10.1.1.1 service=ppp protocol=ip addr=10.1.1.1 Wed Jun 25 04:01:31 1997 172.16.25.15 dpeng tty4 408/4327528 stoptask_id=30 addr=10.1.1.1 service=ppp protocol=ip addr=10.1.1.1 bytes_in=2844 bytes_out=1682 paks_in=36 paks_out=24 elapsed_time=51 Wed Jun 25 04:01:32 1997 172.16.25.15 dpeng tty4 408/4327528 stoptask_id=28 service=shell elapsed_time=57
The following example shows the information contained in a RADIUS network accounting record for a PPP user who comes in through autoselect:
Wed Jun 25 04:30:52 1997
NAS-IP-Address = "172.16.25.15"
NAS-Port = 3
User-Name = "dpeng"
Client-Port-DNIS = "4327528"
Caller-ID = "408"
Acct-Status-Type = Start
Acct-Authentic = RADIUS
Service-Type = Framed
Acct-Session-Id = "0000000B"
Framed-Protocol = PPP
Acct-Delay-Time = 0
User-Id = "dpeng"
NAS-Identifier = "172.16.25.15"
Wed Jun 25 04:36:49 1997
NAS-IP-Address = "172.16.25.15"
NAS-Port = 3
User-Name = "dpeng"
Client-Port-DNIS = "4327528"
Caller-ID = "408"
Acct-Status-Type = Stop
Acct-Authentic = RADIUS
Service-Type = Framed
Acct-Session-Id = "0000000B"
Framed-Protocol = PPP
Framed-IP-Address = "10.1.1.1"
Acct-Input-Octets = 8630
Acct-Output-Octets = 5722
Acct-Input-Packets = 94
Acct-Output-Packets = 64
Acct-Session-Time = 357
Acct-Delay-Time = 0
User-Id = "dpeng"
NAS-Identifier = "172.16.25.15"
The following example shows the information contained in a TACACS+ network accounting record for a PPP user who comes in through autoselect:
Wed Jun 25 04:02:19 1997 172.16.25.15 dpeng Async5 408/4327528 starttask_id=35 service=ppp Wed Jun 25 04:02:25 1997 172.16.25.15 dpeng Async5 408/4327528 update task_id=35 service=ppp protocol=ip addr=10.1.1.2 Wed Jun 25 04:05:03 1997 172.16.25.15 dpeng Async5 408/4327528 stoptask_id=35 service=ppp protocol=ip addr=10.1.1.2 bytes_in=3366 bytes_out=2149 paks_in=42 paks_out=28 elapsed_time=164
System accounting provides information about all system-level events, (for example, when the system reboots, or when accounting is turned on or off).
The following accounting record is an example of a typical TACACS+ system accounting record server indicating that AAA accounting has been turned off:
Wed Jun 25 03:55:32 1997 172.16.25.15 unknown unknown unknown start task_id=25 service=system event=sys_acct reason=reconfigure
The following accounting record is an example of a TACACS+ system accounting record indicating that AAA accounting has been turned on:
Wed Jun 25 03:55:22 1997 172.16.25.15 unknown unknown unknown stop task_id=23 service=system event=sys_acct reason=reconfigure
Additional tasks for measuring system resources are covered in other chapters in the Cisco IOS software configuration guides. For example, IP accounting tasks are described in the "Configuring IP Services" chapter in the Network Protocols Configuration Guide, Part 1.
This chapter describes the following tasks:
Before configuring AAA accounting, you must first:
The aaa accounting command allows you to create a record for any or all of the accounting functions monitored. To enable AAA accounting, perform the following task in global configuration mode:
| Task | Command |
|---|---|
| Enable accounting. | aaa accounting {system | network | connection | exec | command level} {start-stop | wait-start | stop-only} {tacacs+ | radius} |
For minimal accounting, use the stop-only keyword, which instructs the specified authentication system (RADIUS or TACACS+) to send a stop record accounting notice at the end of the requested user process. For more accounting information, use the start-stop keyword to send a start accounting notice at the beginning of the requested process and a stop accounting notice at the end of the process. You can further control access and accounting by using the wait-start keyword, which ensures that the RADIUS or TACACS+ security server receives the start notice before granting the user's process request.
When aaa accounting is activated, the Cisco IOS software issues accounting records for all users on the system, including users whose username string, because of protocol translation, is NULL. To prevent accounting records from being generated for users who do not have usernames associated with them, perform the following task in global configuration mode:
| Task | Command |
|---|---|
| Prevent accounting records from being generated for users whose username string is NULL. | aaa accounting suppress null-username |
The network access server monitors the accounting functions defined in either TACACS+ attribute/value (AV) pairs or RADIUS attributes, depending on which security method you have implemented. For a list of supported RADIUS accounting attributes, refer to the "Radius Attributes" chapter in the Security Configuration Guide. For a list of supported TACACS+ accounting AV pairs, refer to the "TACACS+ AV Pairs" chapter in the Security Configuration Guide.
No specific show command exists for either RADIUS or TACACS+. To obtain accounting records displaying information about users currently logged in, perform the following task in EXEC mode:
| Task | Command |
|---|---|
| Step through all active sessions to print all the accounting records for the actively accounted functions. | show accounting |
In the following sample configuration, RADIUS-style authorization is used to track all usage of the following:
aaa accounting exec start-stop radius aaa accounting network start-stop radius aaa accounting system start-stop radius
The show accounting command yields the following output for the above configuration:
Active Accounted actions on tty0, User billw Priv 1 Task ID 2, EXEC Accounting record, 00:02:13 Elapsed task_id=2 service=shell Task ID 3, Connection Accounting record, 00:02:07 Elapsed task_id=3 service=connection protocol=telnet address=172.21.14.90 cmd=synth Active Accounted actions on tty1, User rubble Priv 1 Task ID 5, Network Accounting record, 00:00:52 Elapsed task_id=5 service=ppp protocol=ip address=10.0.0.98 Active Accounted actions on tty10, User bill Priv 1 Task ID 4, EXEC Accounting record, 00:00:53 Elapsed task_id=4 service=shell
|
|