|
|
This chapter describes the commands used to manage accounting on the network. Accounting management allows you to track individual and group usage of network resources. The AAA accounting feature enables you to track the services users are accessing as well as the amount of network resources they are consuming. When AAA accounting is activated, the network access server reports user activity to the TACACS+ or RADIUS security server (depending on which security method you have implemented) in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, and/or auditing.
For information on how to configure accounting using AAA, refer to the "Configuring Accounting" chapter in the Cisco IOS Security Configuration Guide. For configuration examples using the commands in this chapter, refer to the "Accounting Configuration Examples" section located at the end of the "Configuring Accounting" chapter in the Cisco IOS Security Configuration Guide.
Refer also to the IP accounting feature in the "Configuring IP Services" chapter of the
Cisco IOS IP and IP Routing Configuration Guide.
Syntax Description
system Performs accounting for all system-level events not associated with users, such as reloads. network Runs accounting for all network-related service requests, including SLIP, PPP, PPP NCPs, and ARA. exec Runs accounting for EXEC session (user shells). This keyword might return user profile information such as autocommand information. connection Provides information about all outbound connections made from the network access server, such as Telnet, local-area transport (LAT), TN3270, packet assembler/disassembler (PAD), and rlogin. commands Runs accounting for all commands at the specified privilege level. level Specific command level to track for accounting. Valid entries are 0 through 15. default Uses the listed accounting methods that follow this argument as the default list of methods for accounting services. list-name Character string used to name the list of accounting methods. start-stop Sends a start accounting notice at the beginning of a process and a stop accounting notice at the end of a process. The start accounting record is sent in the background. The requested user process begins regardless of whether the start accounting notice was received by the accounting server. stop-only Sends a stop accounting notice at the end of the requested user process. none Disables accounting services on this line or interface. method1 [method2...] At least one of the keywords described in Table 11.
Defaults
AAA accounting is disabled. If the aaa accounting command for a particular accounting type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines (where this accounting type applies) except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, then no accounting takes place.
Command Modes
Global configuration
Command History
10.3 This command was introduced. 12.0(5)T Group server support was added for this command.
Release
Modification
Usage Guidelines
Use the aaa accounting command to enable accounting and to create named method lists defining specific accounting methods on a per-line or per-interface basis.
 |
Note In Table 11, the group radius, group tacacs+, and group group-name methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host and tacacs+-server host commands to configure the host servers. Use the aaa group server radius and aaa group server tacacs+ commands to create a named group of servers. |
Method keywords are described in Table 11.
| Keyword | Description |
|---|---|
group radius | Uses the list of all RADIUS servers for authentication. |
group tacacs+ | Uses the list of all TACACS+ servers for authentication. |
group group-name | Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ command. |
Cisco IOS software supports the following two methods for accounting:
Method lists for accounting define the way accounting will be performed. Named accounting method lists enable you to designate a particular security protocol to be used on specific lines or interfaces for particular types of accounting services. Create a list by entering the list-name and the method, where list-name is any character string used to name this list (excluding the names of methods, such as RADIUS or TACACS+) and method identifies the method(s) tried in the given sequence.
Named accounting method lists are specific to the indicated type of accounting. To create a method list to provide accounting information for ARA (network) sessions, use the arap keyword. To create a method list to provide accounting records about user EXEC terminal sessions on the network access server, including username, date, and start and stop times, use the exec keyword. To create a method list to provide accounting information about specific, individual EXEC commands associated with a specific privilege level, use the commands keyword. To create a method list to provide accounting information about all outbound connections made from the network access server, use the connection keyword.
|
Note System accounting does not use named accounting lists; you can only define the default list for system accounting. |
For minimal accounting, include the stop-only keyword to send a stop record accounting notice at the end of the requested user process. For more accounting, you can include the start-stop keyword, so that RADIUS or TACACS+ sends a start accounting notice at the beginning of the requested process and a stop accounting notice at the end of the process. Accounting is only stored on the RADIUS or TACACS+ server. The none keyword disables accounting services for the specified line or interface.
When aaa accounting is activated, the network access server monitors either RADIUS accounting attributes or TACACS+ AV pairs pertinent to the connection, depending on the security method you have implemented. The network access server reports these attributes as accounting records, which are then stored in an accounting log on the security server. For a list of supported RADIUS accounting attributes, refer to the "RADIUS Attributes" appendix in the Cisco IOS Security Configuration Guide. For a list of supported TACACS+ accounting AV pairs, refer to the "TACACS+ Attribute-Value Pairs" appendix in the Cisco IOS Security Configuration Guide.
|
Note This command cannot be used with TACACS or extended TACACS. |
Examples
The following example defines a default commands accounting method list, where accounting services are provided by a TACACS+ security server, set for privilege level 15 commands with a stop-only restriction:
aaa accounting commands 15 default stop-only group tacacs+
Related Commands
aaa authentication ppp Specifies one or more AAA authentication methods for use on serial interfaces running PPP. aaa authorization Sets parameters that restrict network access to a user. aaa new-model Enables the AAA access control model.
Command
Description
To define the accounting method list H.323 with RADIUS as a method with either stop-only or start-stop accounting options, use the aaa accounting connection h323 command in global configuration mode. Use the no form of this command to disable the use of this accounting method list.
aaa accounting connection h323 {stop-only | start-stop} radius
Syntax Description
stop-only Sends a stop accounting notice at the end of the requested user process. start-stop Sends a start accounting notice at the beginning of a process and a stop accounting notice at the end of a process. The start accounting record is sent in the background. The requested user process begins regardless of whether the start accounting notice was received by the accounting server. radius Use only the RADIUS security protocol with this command.
Defaults
No accounting method list.
Command Modes
Global configuration
Command History
11.3(6)NA2 This command was introduced.
Release
Modification
Usage Guidelines
This command creates a method list called h323 and is applied by default to all voice interfaces if the gw-accounting h323 command is also activated.
Examples
The following example enables AAA services, gateway accounting services, and defines a connection accounting method list (h323). The h323 accounting method lists specifies that RADIUS is the security protocol that will provide the accounting services, and that the RADIUS service will track start-stop records.
aaa new model gw-accounting h323 aaa accounting connection h323 start-stop radius
To specify that NETWORK records be generated, or nested, within EXEC start and stop records for PPP users who start EXEC terminal sessions, use the aaa accounting nested command in global configuration mode. Use the no form of this command to allow sending records for users with a NULL username.
aaa accounting nestedSyntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Global configuration
Command History
12.0(5)T This command was introduced.
Release
Modification
Usage Guidelines
Use this command when you want to specify that NETWORK records be nested within EXEC start and stop records, such as for PPP users who start EXEC terminal sessions. In some cases, such as billing customers for specific services, is can be desirable to keep NETWORK start and stop records together, essentially "nesting" them within the framework of the EXEC start and stop messages. For example, a user dialing in using PPP can create the following records: EXEC-start, NETWORK-start, EXEC-stop, NETWORK-stop. By nesting the accounting records, NETWORK-stop records follow NETWORK-start messages: EXEC-start, NETWORK-start, NETWORK-stop, EXEC-stop.
Examples
The following example enables nesting of NETWORK accounting records for user sessions:
aaa accounting nested
To generate accounting stop records for users who fail to authenticate at login or during session negotiation, use the aaa accounting send stop-record authentication failure command in global configuration mode. Use the no form of this command to stop generating records for users who fail to authenticate at login or during session negotiation.
aaa accounting send stop-record authentication failureSyntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Global configuration
Command History
12.0(5)T This command was introduced.
Release
Modification
Usage Guidelines
Use this command to generate accounting stop records for users who fail to authenticate at login or during session negotiation. When aaa accounting is activated, the Cisco IOS software by default does not generate accounting records for system users who fail login authentication, or who succeed in login authentication but fail PPP negotiation for some reason.
Examples
The following example generates stop records for users who fail to authenticate at login or during session negotiation:
aaa accounting send stop-record authentication failure
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Global configuration
Command History
11.2 This command was introduced.
Release
Modification
Usage Guidelines
When aaa accounting is activated, the Cisco IOS software issues accounting records for all users on the system, including users whose username string, because of protocol translation, is NULL. This command prevents accounting records from being generated for those users who do not have usernames associated with them.
Examples
The following example supresses accounting records for users who do not have usernames associated with them:
aaa accounting suppress null-username
Related Commands
Enables AAA accounting of requested services for billing or security purposes.
Command
Description
Syntax Description
newinfo Causes an interim accounting record to be sent to the accounting server whenever there is new accounting information to report relating to the user in question. periodic Causes an interim accounting record to be sent to the accounting server periodically, as defined by the argument number. number Integer specifying number of minutes.
Defaults
Disabled
Command Modes
Global configuration
Command History
11.3 This command was introduced.
Release
Modification
Usage Guidelines
When aaa accounting update is activated, the Cisco IOS software issues interim accounting records for all users on the system. If the keyword newinfo is used, interim accounting records will be sent to the accounting server every time there is new accounting information to report. An example of this would be when IPCP completes IP address negotiation with the remote peer. The interim accounting record will include the negotiated IP address used by the remote peer.
When used with the keyword periodic, interim accounting records are sent periodically as defined by the argument number. The interim accounting record contains all of the accounting information recorded for that user up to the time the accounting record is sent.
When using both the newinfo and periodic keywords, interim accounting records are sent to the accounting server every time there is new accounting information to report, and accounting records are sent to the accounting server periodically as defined by the argument number. For example, if you configure aaa accounting update newinfo periodic number, all users currently logged in will continue to generate periodic interim accounting records while new users will generate accounting records based on the newinfo algorithm.
 |
Caution Using the aaa accounting update periodic command can cause heavy congestion when many users are logged in to the network. |
Examples
The following example sends PPP accounting records to a remote RADIUS server. When IPCP completes negotiation, this command sends an interim accounting record to the RADIUS server that includes the negotiated IP address for this user; it also sends periodic interim accounting records to the RADIUS server at 30 minute intervals.
aaa accounting network default start-stop group radius aaa accounting update newinfo periodic 30
Related Commands
Enables AAA accounting of requested services for billing or security purposes.
Command
Description
To map a Dialed Number Information Service (DNIS) number to a particular authentication, authorization, and accounting (AAA) server group (this server group will be used for AAA accounting), use the aaa dnis map accounting network group command in global configuration mode. To remove DNIS mapping from the named server group, use the no form of this command.
aaa dnis map dnis-number accounting network [none | start-stop | stop-only] group server-group-name
Syntax Description
dnis-number Number of the DNIS. none (Optional) Indicates that the defined security server group will not send accounting notices. start-stop (Optional) Indicates that the defined security server group will send a start-accounting notice at the beginning of a process and a stop-accounting notice at the end of a process. The start-accounting record is sent in the background. (The requested user process begins regardless of whether the start accounting notice was received by the accounting server.) stop-only (Optional) Indicates that the defined security server group will send a stop-accounting notice at the end of the requested user process. server-group-name Character string used to name a group of security servers associated in a server group.
Defaults
Disabled
Command Modes
Global configuration
Command History
12.0(7)T This command was introduced.
Release
Modification
Usage Guidelines
This command lets you assign a DNIS number to a particular AAA server group, so that the server group can process accounting requests for users dialing in to the network using that particular DNIS. To use this command, you must first enable AAA, define an AAA server group, and enable DNIS mapping.
Examples
The following example maps DNIS number 7777 to the RADIUS server group called group1. Server group group1 will use RADIUS server 172.30.0.0 for accounting requests for users dialing in with DNIS 7777.
aaa new-model radius-server host 172.30.0.0 acct-port 1646 key cisco1 aaa group server radius group1 server 172.30.0.0 aaa dnis map enable aaa dnis map 7777 accounting network group group1
Related Commands
aaa dnis map authentication ppp group Maps a DNIS number to a particular authentication server group. aaa dnis map enable Enables AAA server selection based on DNIS. aaa group server Groups different server hosts into distinct lists and distinct methods. aaa new-model Enables the AAA access control model. radius-server host Specifies a RADIUS server host.
Command
Description
Syntax Description
arap Enables accounting on line(s) configured for AppleTalk Remote Access (ARA) protocol. commands Enables accounting on the selected line(s) for all commands at the specified privilege level. level Specifies the command level to track for accounting. Valid entries are 0 through 15. connection Enables both CHAP and PAP, and performs PAP authentication before CHAP. exec Enables accounting for all system-level events not associated with users, such as reloads on the selected line(s). default (Optional) The name of the default method list, created with the aaa accounting command. list-name (Optional) Specifies the name of a list of accounting methods to use. If no list name is specified, the system uses the default. The list is created with the aaa accounting command.
Defaults
Accounting is disabled.
Command Modes
Line configuration
Command History
11.3 T This command was introduced.
Release
Modification
Usage Guidelines
After you enable the aaa accounting command and define a named accounting method list (or use the default method list) for a particular type of accounting, you must apply the defined lists to the appropriate lines for accounting services to take place. Use the accounting command to apply the specified method lists (or if none is specified, the default method list) to the selected line or group of lines.
Examples
The following example enables command accounting services (for level 15) using the accounting method list named charlie on line 10:
line 10 accounting commands 15 charlie
Related Commands
Enables AAA accounting of requested services for billing or security purposes.
Command
Description
To enable the accounting on the gatekeeper, use the accounting command in gatekeeper configuration mode. To disable accounting, use the no form of this command.
accountingSyntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Gatekeeper configuration
Command History
11.3(2)NA This command was introduced. 12.0(3)T This command was introduced.
Release
Modification
Usage Guidelines
Specify a RADIUS server before using the accounting command.
Examples
The following example enables the gateway to report user activity to the RADIUS server in the form of connection accounting records:
aaa accounting connection start-stop group radius gatekeeper accounting
Related Commands
aaa new-model Enables the AAA access control model. radius-server host Specifies a RADIUS server host. radius-server key Sets the authentication and encryption key for all RADIUS communications between the router and the RADIUS daemon.
Command
Description
Syntax Description
default (Optional) The name of the method list is created with the aaa accounting command. list-name (Optional) Specifies the name of a list of accounting methods to use. If no list name is specified, the system uses the default. The list is created with the aaa accounting command.
Defaults
Accounting is disabled.
Command Modes
Interface configuration
Command History
11.3 T This command was introduced.
Release
Modification
Usage Guidelines
After you enable the aaa accounting command and define a named accounting method list (or use the default method list), you must apply the defined lists to the appropriate interfaces for accounting services to take place. Use the ppp accounting command to apply the specified method lists (or if none is specified, the default method list) to the selected interface.
Examples
The following example enables accounting on asynchronous interface 4 and uses the accounting method list named charlie:
interface async 4 encapsulation ppp ppp accounting charlie
Related Commands
Enables AAA accounting of requested services for billing or security purposes.
Command
Description
To step through all active sessions and to print all the accounting records for actively accounted functions, use the show accounting command in EXEC mode. Use the no form of this command to disable viewing and printing accounting records.
show accounting {system | network | exec | command level} {start-stop | stop-only} group tacacs+
Syntax Description
system Displays accounting for all system-level events not associated with users, such as reloads. network Displays accounting for all network-related service requests, including SLIP, PPP, PPP NCPs, and ARA. exec Displays accounting for EXEC session (user shells). This keyword might return user profile information such as autocommand information. command Displays accounting for all commands at the specified privilege level. level Specifies the command level to display. Valid entries are 0 through 15. start-stop Displays a start record accounting notice at the beginning of a process and a stop record at the end of a process. The start accounting record is sent in the background. The requested user process begins regardless of whether the start accounting record was received by the accounting server. stop-only Displays a stop record accounting notice at the end of the requested user process. group tacacs+ Displays the TACACS-style accounting.
Command Modes
EXEC
Command History
11.1 This command was introduced.
Release
Modification
Usage Guidelines
The show accounting command allows you to display the active accountable events on the network. It provides system administrators with a quick look at what is going on, and it also can help collect information in the event of a data loss on the accounting server.
The show accounting command displays additional data on the internal state of AAA if debug aaa accounting is activated.
Examples
The following is sample output from the show accounting command, showing accounting records for an EXEC login and an outgoing Telnet session:
router# show accounting
Active Accounted actions on tty0, User (not logged in) Priv 1
Task ID 1, EXEC Accounting record, 00:22:14 Elapsed
task_id=1 service=shell
Task ID 10, Connection Accounting record, 00:00:03 Elapsed
task_id=10 service=connection protocol=telnet addr=172.16.57.11 cmd=connect tom-ss20
Active Accounted actions on tty66, User tom Priv 1
Task ID 9, EXEC Accounting record, 00:02:14 Elapsed
task_id=9 service=shell
The following is sample output from the show accounting command, showing accounting records for a network connection:
router# show accounting
Active Accounted actions on tty33, User tom Priv 1
Task ID 13, Network Accounting record, 00:00:10 Elapsed
task_id=13 service=ppp protocol=ip addr=10.0.0.1
The following is sample output from the show accounting command, showing accounting records for a PPP session started from an EXEC prompt:
router# show accounting
Active Accounted actions on tty0, User (not logged in) Priv 1
Task ID 1, EXEC Accounting record, 00:35:16 Elapsed
task_id=1 service=shell
Active Accounted actions on tty33, User ellie Priv 1
Task ID 16, EXEC Accounting record, 00:00:17 Elapsed
task_id=16 service=shell
Active Accounted actions on Interface Async33, User tom Priv 1
Task ID 17, Network Accounting record, 00:00:13 Elapsed
task_id=17 service=ppp protocol=ip addr=10.0.0.1
Table 12 describes the fields contained in this example.
| Field | Description |
|---|---|
Active Accounted actions on | Terminal line or interface name with which the user logged in. |
User | ID of the user. |
Priv | Privilege level of the user. |
Task ID | Unique identifier for each accounting session. |
Accounting Record | Type of accounting session. |
Elapsed | Length of time (hh:mm:ss) for this session type. |
attribute=value | AV pairs associated with this accounting session. |
Related Commands
Enables AAA accounting of requested services for billing or security purposes. show line Displays the parameters of a terminal line. show users Displays information about the active lines on the router.
Command
Description
Posted: Tue Apr 4 17:28:08 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.