|
|
This feature module describes the AAA Broadcast Accounting feature. It includes information on the benefits of the new feature, supported platforms, related documents, and so on.
This document includes the following sections:
With the introduction of this feature, broadcasting is now allowed among groups of servers. The server groups can be either RADIUS or TACACS+. And each server group can define its backup servers for fail over independently of other groups. (Fail over is a process that may occur when more than one server has been defined within a server group. Fail over refers to the process by which information is sent to the first server in a server group; if the first server is unavailable, the information is sent to the next server in the server group. This process continues until the information is successfully sent to one of the servers within the server group or until the list of available servers within the server group is exhausted.)
Thus, service providers and their end customers can use different protocols (RADIUS or TACACS+) for the accounting server. Service providers and their end customers can also specify their backup servers independently. As for voice applications, redundant accounting information can be managed independently through a separate group with its own fail-over sequence.
Before the introduction of the AAA Broadcast Accounting feature, Cisco IOS AAA could send accounting information to only one server at a time. This feature allows accounting information to be sent to one or more AAA servers at the same time. Service providers are thus able to simultaneously send accounting information to their own private AAA servers and to the AAA servers of their end customers. This feature also provides redundant billing information for voice applications.
Accounting information can be sent simultaneously to a maximum of four AAA servers.
Standards
No new or modified standards are supported by this feature.
MIBs
No new or modified MIBs are supported by this feature.
For descriptions of supported MIBs and how to use MIBs, see the Cisco MIB web site on CCO at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.
RFCs
No new or modified RFCs are supported by this feature.
The aaa new-model command must be enabled before this feature can be configured.
See the following sections for configuration tasks for the AAA Broadcast Accounting feature. Each task in the list is identified as optional or required.
To configure AAA broadcast accounting, use the aaa accounting command in global configuration mode. This command has been modified to allow the broadcast keyword.
| Command | Purpose |
|---|---|
Router(config)#aaa accounting {system | network | exec |
connection | commands level} {default | list-name} {start-stop
| stop-only | none} [broadcast] method1 [method2...]
| Enables sending accounting records to multiple AAA servers. Simultaneously sends accounting records to the first server in each group. If the first server is unavailable, fail over occurs using the backup servers defined within that group. |
To configure AAA broadcast accounting per Dialed Number Identification Service (DNIS), use the aaadnis map accounting network command in global configuration mode. This command has been modified to allow the broadcast keyword and multiple server groups.
| Command | Purpose |
|---|---|
Router(config)#aaa dnis map dnis-number accounting network [start-stop | stop-only | none] [broadcast] method1 [method2...] | Allows per DNIS accounting configuration. This command has precedence over the global aaa accounting command. Enables sending accounting records to multiple AAA servers. Simultaneously sends accounting records to the first server in each group. If the first server is unavailable, fail over occurs using the backup servers defined within that group. |
To show the AAA server groups configured to provide accounting services, use the debug aaa accounting command. The information displayed by the debug aaa accounting command is independent of the accounting protocol used to transfer the accounting information to a server. To get more detailed information about protocol-level issues, use the debug tacacs and debug radius protocol specific commands.
You can also use the show accounting command to step through all active sessions and to print all the accounting records for actively accounted functions. The show accounting command allows you to display the active "accountable events" on the system. It provides system administrators with a quick look at what is going on, and it may also be useful for collecting information in the event of data loss on the accounting server. If the debug aaa accounting command is also turned on, the show accounting command displays additional data on the internal state of the AAA security system.
This section provides the following configuration examples:
The following example shows turning on broadcast accounting using the global aaa accounting command:
aaa group server radius isp server 1.0.0.1 server 1.0.0.2 aaa group server tacacs+ isp_customer server 3.0.0.1 aaa accounting network default start-stop broadcast group isp group isp_customer radius-server host 1.0.0.1 radius-server host 1.0.0.2 radius-server key key1 tacacs-server host 3.0.0.1 key key2
The broadcast keyword causes start and stop accounting records for network connections to be sent simultaneously to server 1.0.0.1 in the group isp and to server 3.0.0.1 in the group isp_customer. If server 1.0.0.1 is unavailable, fail over to server 1.0.0.2 occurs. If server 3.0.0.1 is unavailable, no fail over occurs because backup servers are not configured for the group isp_customer.
The following example shows turning on per DNIS broadcast accounting using the global aaa dnis map accounting network command:
aaa group server radius isp server 1.0.0.1 server 1.0.0.2 aaa group server tacacs+ isp_customer server 3.0.0.1 aaa dnis map enable aaa dnis map 7777 accounting network start-stop broadcast group isp group isp_customer radius-server host 1.0.0.1 radius-server host 1.0.0.2 radius-server key key_1 tacacs-server host 3.0.0.1 key key_2
The broadcast keyword causes start and stop accounting records for network connection calls having DNIS number 7777 to be sent simultaneously to server 1.0.0.1 in the group isp and to server 3.0.0.1 in the group isp_customer. If server 1.0.0.1 is unavailable, fail over to server 1.0.0.2 occurs. If server 3.0.0.1 is unavailable, no fail over occurs because backup servers are not configured for the group isp_customer.
This section documents modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.1 command reference publications.
Syntax Description
system Performs accounting for all system-level events not associated with users, such as reloads. network Runs accounting for all network-related service requests, including SLIP,1 PPP,2 PPP NCPs,3 and ARA.4 exec Runs accounting for EXEC session (user shells). This keyword might return user profile information such as autocommand information. connection Provides information about all outbound connections made from the network access server, such as Telnet, LAT,5 TN3270, PAD,6 and rlogin. commands Runs accounting for all commands at the specified privilege level. level Specific command level to track for accounting. Valid entries are 0through15. default Uses the listed accounting methods that follow this argument as the default list of methods for accounting services. list-name Character string used to name the list of accounting methods. start-stop Sends a start accounting notice at the beginning of a process and a stop accounting notice at the end of a process. The start accounting record is sent in the background. The requested user process begins regardless of whether the start accounting notice was received by the accounting server. stop-only Sends a stop accounting notice at the end of the requested user process. none Disables accounting services on this line or interface. broadcast (Optional) Enables sending accounting records to multiple AAA servers. Simultaneously sends accounting records to the first server in each group. If the first server is unavailable, fail over occurs using the backup servers defined within that group. method1 [method2...] At least one of the keywords described in Table 1.
Defaults
AAA accounting is disabled. If the aaa accounting command for a particular accounting type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines (where this accounting type applies) except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, then no accounting takes place.
Command Modes
Global configuration
Command History
10.3 This command was introduced. 12.0(5)T Group server support was added. 12.1(1)T The optional broadcast keyword was added.
Release
Modification
Usage Guidelines
Use the aaa accounting command to enable accounting and to create named method lists defining specific accounting methods on a per-line or per-interface basis.
Table 1 contains descriptions of accounting method keywords.
| Keyword | Description |
|---|---|
group radius | Uses the list of all RADIUS servers for authentication. |
group tacacs+ | Uses the list of all TACACS+ servers for authentication. |
group group-name | Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ command. |
In Table 1, the group radius, group tacacs+, and group group-name methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host and tacacs+-server host commands to configure the host servers. Use the aaa group server radius and aaa group server tacacs+ commands to create a named group of servers.
Cisco IOS software supports the following two methods of accounting:
Method lists for accounting define the way accounting will be performed. Named accounting method lists enable you to designate a particular security protocol to be used on specific lines or interfaces for particular types of accounting services. Create a list by entering the list-name and the method, where list-name is any character string used to name this list (excluding the names of methods, such as radius or tacacs+) and method identifies the method or methods tried in the given sequence.
Named accounting method lists are specific to the indicated type of accounting. To create a method list to provide accounting information for ARA (network) sessions, use the arap keyword. To create a method list to provide accounting records about user EXEC terminal sessions on the network access server, including username, date, and start and stop times, use the exec keyword. To create a method list to provide accounting information about specific, individual EXEC commands associated with a specific privilege level, use the commands keyword. To create a method list to provide accounting information about all outbound connections made from the network access server, use the connection keyword.
 |
NoteSystem accounting does not use named accounting lists; you can only define the default list for system accounting. |
For minimal accounting, include the stop-only keyword to send a stop record accounting notice at the end of the requested user process. For more accounting, you can include the start-stop keyword, so that RADIUS or TACACS+ sends a start accounting notice at the beginning of the requested process and a stop accounting notice at the end of the process. Accounting is stored only on the RADIUS or TACACS+ server. The none keyword disables accounting services for the specified line or interface.
When AAA accounting is activated, the network access server monitors either RADIUS accounting attributes or TACACS+ AV pairs pertinent to the connection, depending on the security method you have implemented. The network access server reports these attributes as accounting records, which are then stored in an accounting log on the security server. For a list of supported RADIUS accounting attributes, refer to the appendix "RADIUS Attributes" in the Cisco IOS Security Configuration Guide. For a list of supported TACACS+ accounting AV pairs, refer to the appendix "TACACS+ Attribute-Value Pairs" in the Cisco IOS Security Configuration Guide.
|
NoteThis command cannot be used with TACACS or extended TACACS. |
Examples
The following example defines a default commands accounting method list, where accounting services are provided by a TACACS+ security server, set for privilege level 15 commands with a stop-only restriction.
aaa accounting commands 15 default stop-only group tacacs+
Related Commands
aaa authentication ppp Specifies one or more AAA authentication methods for use on serial interfaces running PPP. aaa authorization Sets parameters that restrict network access to a user. aaa new-model Enables the AAA access control model.
Command
Description
To map a Dialed Number Information Service (DNIS) number to a particular authentication, authorization, and accounting (AAA) server group (the server group that will be used for AAA accounting), use the aaa dnis map accounting network command in global configuration mode. To remove DNIS mapping from the named server group, use the no form of this command.
aaa dnis map dnis-number accounting network [start-stop | stop-only | none] [broadcast] method1 [method2...]
Syntax Description
dnis-number Number of the DNIS. start-stop (Optional) Indicates that the defined security server group will send a start-accounting notice at the beginning of a process and a stop-accounting notice at the end of a process. The start-accounting record is sent in the background. (The requested user process begins regardless of whether the start accounting notice was received by the accounting server.) stop-only (Optional) Indicates that the defined security server group will send a stop-accounting notice at the end of the requested user process. none (Optional) Indicates that the defined security server group will not send accounting notices. broadcast (Optional) Enables sending accounting records to multiple AAA servers. Simultaneously sends accounting records to the first server in each group. If the first server is unavailable, fail over occurs using the backup servers defined within that group. method1 [method2...] At least one of the keywords described in Table 2.
Defaults
This command is disabled by default.
Command Modes
Global configuration
Command History
12.0(7)T This command was introduced. 12.1(1)T The optional broadcast keyword was added, as well as the ability to specify multiple server groups. To accommodate multiple server groups, the name of the command was changed from aaa dnis map accounting network group to aaa dnis map accounting network.
Release
Modification
Usage Guidelines
This command lets you assign a DNIS number to a particular AAA server group, so that the server group can process accounting requests for users dialing in to the network using that particular DNIS. To use this command, you must first enable AAA, define an AAA server group, and enable DNIS mapping.
Table 2 contains descriptions of accounting method keywords.
| Keyword | Description |
|---|---|
group radius | Uses the list of all RADIUS servers for authentication. |
group tacacs+ | Uses the list of all TACACS+ servers for authentication. |
group group-name | Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ command. |
In Table 2, the group radius, group tacacs+, and group group-name methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host and tacacs+-server host commands to configure the host servers. Use the aaa group server radius and aaa group server tacacs+ commands to create a named group of servers.
Examples
The following example maps DNIS number 7777 to the RADIUS server group called group1. Server group group1 will use RADIUS server 172.30.0.0 for accounting requests for users dialing in with DNIS 7777.
aaa new-model radius-server host 172.30.0.0 acct-port 1646 key cisco1 aaa group server radius group1 server 172.30.0.0 aaa dnis map enable aaa dnis map 7777 accounting network group group1
Related Commands
aaa dnis map Maps a DNIS number to a particular authentication server group. aaa dnis map enable Enables AAA server selection based on DNIS. aaa group server Groups different server hosts into distinct lists and distinct methods. aaa new-model Enables the AAA access control model. radius-server host Specifies a RADIUS server host.
Command
Description
authentication ppp group
AAA---authentication, authorization, and accounting. Suite of network security services that provide the primary framework through which access control can be set up on your Cisco router or access server.
authentication, authorization, and accounting---See AAA.
Dialed Number Identification Service---See DNIS.
DNIS---Dialed Number Identification Service. The number dialed by the caller.
Posted: Fri Apr 7 11:20:40 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.