Полезная информация

cc/td/doc/product/software/ios120/12cgcr/secur_c
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Configuring Accounting

Configuring Accounting

The AAA accounting feature enables you to track the services users are accessing as well as the amount of network resources they are consuming. When aaa accounting is enabled, the network access server reports user activity to the TACACS+ or RADIUS security server (depending on which security method you have implemented) in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, and/or auditing.

This chapter describes the following topics and tasks:

For a complete description of the accounting commands used in this chapter, refer to the "Accounting Commands" chapter in the Security Command Reference. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online.

Named Method Lists for Accounting

Like authentication and authorization method lists, method lists for accounting define the way accounting will be performed. Named accounting method lists enable you to designate a particular security protocol to be used on specific lines or interfaces for accounting services.

Cisco IOS software supports the following two methods for accounting:

Accounting method lists are specific to the type of accounting being requested. AAA supports five different types of accounting:


Note System accounting does not use named accounting lists; you can only define the default list for system accounting.

Once again, when you create a named method list, you are defining a particular list of accounting methods for the indicated accounting type.

Accounting method lists must be applied to specific lines or interfaces before any of the defined methods will be performed. The only exception is the default method list (which is named "default"). If the aaa accounting command for a particular accounting type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, then no accounting takes place.

AAA Accounting Types

Cisco IOS software supports five different kinds of accounting:

Network Accounting

Network accounting provides information for all PPP, SLIP, or ARAP sessions, including packet and byte counts.

The following example shows the information contained in a RADIUS network accounting record for a PPP user who comes in through an EXEC session:

Wed Jun 25 04:44:45 1997
        NAS-IP-Address = "172.16.25.15"
        NAS-Port = 5
        User-Name = "fgeorge"
        Client-Port-DNIS = "4327528"
        Caller-ID = "562"
        Acct-Status-Type = Start
        Acct-Authentic = RADIUS
        Service-Type = Exec-User
        Acct-Session-Id = "0000000D"
        Acct-Delay-Time = 0
        User-Id = "fgeorge"
        NAS-Identifier = "172.16.25.15"
 
Wed Jun 25 04:45:00 1997
        NAS-IP-Address = "172.16.25.15"
        NAS-Port = 5
        User-Name = "fgeorge"
        Client-Port-DNIS = "4327528"
        Caller-ID = "562"
        Acct-Status-Type = Start
        Acct-Authentic = RADIUS
        Service-Type = Framed
        Acct-Session-Id = "0000000E"
        Framed-IP-Address = "10.1.1.2"
        Framed-Protocol = PPP
        Acct-Delay-Time = 0
        User-Id = "fgeorge"
        NAS-Identifier = "172.16.25.15"
Wed Jun 25 04:47:46 1997
        NAS-IP-Address = "172.16.25.15"
        NAS-Port = 5
        User-Name = "fgeorge"
        Client-Port-DNIS = "4327528"
        Caller-ID = "562"
        Acct-Status-Type = Stop
        Acct-Authentic = RADIUS
        Service-Type = Framed
        Acct-Session-Id = "0000000E"
        Framed-IP-Address = "10.1.1.2"
        Framed-Protocol = PPP
        Acct-Input-Octets = 3075
        Acct-Output-Octets = 167
        Acct-Input-Packets = 39
        Acct-Output-Packets = 9
        Acct-Session-Time = 171
        Acct-Delay-Time = 0
        User-Id = "fgeorge"
        NAS-Identifier = "172.16.25.15"
Wed Jun 25 04:48:45 1997
        NAS-IP-Address = "172.16.25.15"
        NAS-Port = 5
        User-Name = "fgeorge"
        Client-Port-DNIS = "4327528"
        Caller-ID = "408"
        Acct-Status-Type = Stop
        Acct-Authentic = RADIUS
        Service-Type = Exec-User
        Acct-Session-Id = "0000000D"
        Acct-Delay-Time = 0
        User-Id = "fgeorge"
        NAS-Identifier = "172.16.25.15"

The following example shows the information contained in a TACACS+ network accounting record for a PPP user who first started an EXEC session:

Wed Jun 25 04:00:35 1997        172.16.25.15    fgeorge   tty4    562/4327528     
starttask_id=28      service=shell
Wed Jun 25 04:00:46 1997        172.16.25.15    fgeorge   tty4 562/4327528     
starttask_id=30      addr=10.1.1.1   service=ppp
Wed Jun 25 04:00:49 1997        172.16.25.15    fgeorge   tty4    408/4327528     
update       task_id=30      addr=10.1.1.1   service=ppp     protocol=ip     
addr=10.1.1.1
Wed Jun 25 04:01:31 1997        172.16.25.15    fgeorge   tty4    562/4327528     
stoptask_id=30       addr=10.1.1.1   service=ppp     protocol=ip     addr=10.1.1.1   
bytes_in=2844        bytes_out=1682  paks_in=36      paks_out=24     elapsed_time=51
Wed Jun 25 04:01:32 1997        172.16.25.15    fgeorge   tty4    562/4327528     
stoptask_id=28       service=shell   elapsed_time=57

Note The precise format of accounting packets records may vary depending on your particular security server daemon.

The following example shows the information contained in a RADIUS network accounting record for a PPP user who comes in through autoselect:

Wed Jun 25 04:30:52 1997
        NAS-IP-Address = "172.16.25.15"
        NAS-Port = 3
        User-Name = "fgeorge"
        Client-Port-DNIS = "4327528"
        Caller-ID = "562"
        Acct-Status-Type = Start
        Acct-Authentic = RADIUS
        Service-Type = Framed
        Acct-Session-Id = "0000000B"
        Framed-Protocol = PPP
        Acct-Delay-Time = 0
        User-Id = "fgeorge"
        NAS-Identifier = "172.16.25.15"
 
Wed Jun 25 04:36:49 1997
        NAS-IP-Address = "172.16.25.15"
        NAS-Port = 3
        User-Name = "fgeorge"
        Client-Port-DNIS = "4327528"
        Caller-ID = "562"
        Acct-Status-Type = Stop
        Acct-Authentic = RADIUS
        Service-Type = Framed
        Acct-Session-Id = "0000000B"
        Framed-Protocol = PPP
        Framed-IP-Address = "10.1.1.1"
        Acct-Input-Octets = 8630
        Acct-Output-Octets = 5722
        Acct-Input-Packets = 94
        Acct-Output-Packets = 64
        Acct-Session-Time = 357
        Acct-Delay-Time = 0
        User-Id = "fgeorge"
        NAS-Identifier = "172.16.25.15"

The following example shows the information contained in a TACACS+ network accounting record for a PPP user who comes in through autoselect:

Wed Jun 25 04:02:19 1997        172.16.25.15    fgeorge   Async5  562/4327528     
starttask_id=35      service=ppp
Wed Jun 25 04:02:25 1997        172.16.25.15    fgeorge   Async5  562/4327528     
update       task_id=35      service=ppp     protocol=ip     addr=10.1.1.2
Wed Jun 25 04:05:03 1997        172.16.25.15    fgeorge   Async5  562/4327528     
stoptask_id=35       service=ppp     protocol=ip     addr=10.1.1.2   bytes_in=3366   
bytes_out=2149       paks_in=42      paks_out=28     elapsed_time=164

Connection Accounting

Connection accounting provides information about all outbound connections made from the network access server, such as Telnet, local-area transport (LAT), TN3270, packet assembler/disassembler (PAD), and rlogin.

The following example shows the information contained in a RADIUS connection accounting record for an outbound Telnet connection:

Wed Jun 25 04:28:00 1997
        NAS-IP-Address = "172.16.25.15"
        NAS-Port = 2
        User-Name = "fgeorge"
        Client-Port-DNIS = "4327528"
        Caller-ID = "5622329477"
        Acct-Status-Type = Start
        Acct-Authentic = RADIUS
        Service-Type = Login
        Acct-Session-Id = "00000008"
        Login-Service = Telnet
        Login-IP-Host = "171.68.202.158"
        Acct-Delay-Time = 0
        User-Id = "fgeorge"
        NAS-Identifier = "172.16.25.15"
 
Wed Jun 25 04:28:39 1997
        NAS-IP-Address = "172.16.25.15"
        NAS-Port = 2
        User-Name = "fgeorge"
        Client-Port-DNIS = "4327528"
        Caller-ID = "5622329477"
        Acct-Status-Type = Stop
        Acct-Authentic = RADIUS
        Service-Type = Login
        Acct-Session-Id = "00000008"
        Login-Service = Telnet
        Login-IP-Host = "171.68.202.158"
        Acct-Input-Octets = 10774
        Acct-Output-Octets = 112
        Acct-Input-Packets = 91
        Acct-Output-Packets = 99
        Acct-Session-Time = 39
        Acct-Delay-Time = 0
        User-Id = "fgeorge"
        NAS-Identifier = "172.16.25.15"

The following example shows the information contained in a TACACS+ connection accounting record for an outbound Telnet connection:

Wed Jun 25 03:47:43 1997        172.16.25.15    fgeorge   tty3    5622329430/4327528  
start    task_id=10      service=connection      protocol=telnet addr=171.68.202.158 
cmd=telnet fgeorge-sun
Wed Jun 25 03:48:38 1997        172.16.25.15    fgeorge   tty3    5622329430/4327528  
stop     task_id=10      service=connection      protocol=telnet addr=171.68.202.158 
cmd=telnet fgeorge-sun     bytes_in=4467   bytes_out=96    paks_in=61      paks_out=72 
e
lapsed_time=55

The following example shows the information contained in a RADIUS connection accounting record for an outbound rlogin connection:

Wed Jun 25 04:29:48 1997
        NAS-IP-Address = "172.16.25.15"
        NAS-Port = 2
        User-Name = "fgeorge"
        Client-Port-DNIS = "4327528"
        Caller-ID = "5622329477"
        Acct-Status-Type = Start
        Acct-Authentic = RADIUS
        Service-Type = Login
        Acct-Session-Id = "0000000A"
        Login-Service = Rlogin
        Login-IP-Host = "171.68.202.158"
        Acct-Delay-Time = 0
        User-Id = "fgeorge"
        NAS-Identifier = "172.16.25.15"
 
Wed Jun 25 04:30:09 1997
        NAS-IP-Address = "172.16.25.15"
        NAS-Port = 2
        User-Name = "fgeorge"
        Client-Port-DNIS = "4327528"
        Caller-ID = "5622329477"
        Acct-Status-Type = Stop
        Acct-Authentic = RADIUS
        Service-Type = Login
        Acct-Session-Id = "0000000A"
        Login-Service = Rlogin
        Login-IP-Host = "171.68.202.158"
        Acct-Input-Octets = 18686
        Acct-Output-Octets = 86
        Acct-Input-Packets = 90
        Acct-Output-Packets = 68
        Acct-Session-Time = 22
        Acct-Delay-Time = 0
        User-Id = "fgeorge"
        NAS-Identifier = "172.16.25.15"

The following example shows the information contained in a TACACS+ connection accounting record for an outbound rlogin connection:

Wed Jun 25 03:48:46 1997        172.16.25.15    fgeorge   tty3    5622329430/4327528  
start    task_id=12      service=connection      protocol=rlogin addr=171.68.202.158 
cmd=rlogin fgeorge-sun /user fgeorge
Wed Jun 25 03:51:37 1997        172.16.25.15    fgeorge   tty3    5622329430/4327528  
stop     task_id=12      service=connection      protocol=rlogin addr=171.68.202.158 
cmd=rlogin fgeorge-sun /user fgeorge bytes_in=659926 bytes_out=138   paks_in=2378    
paks_
out=1251        elapsed_time=171

The following example shows the information contained in a TACACS+ connection accounting record for an outbound LAT connection:

Wed Jun 25 03:53:06 1997        172.16.25.15    fgeorge   tty3    5622329430/4327528  
start    task_id=18      service=connection      protocol=lat    addr=VAX        
cmd=lat VAX
Wed Jun 25 03:54:15 1997        172.16.25.15    fgeorge   tty3    5622329430/4327528  
stop     task_id=18      service=connection      protocol=lat    addr=VAX        
cmd=lat VAX  bytes_in=0      bytes_out=0     paks_in=0      paks_out=0      
elapsed_time=6

EXEC Accounting

EXEC accounting provides information about user EXEC terminal sessions (user shells) on the network access server, including username, date, start and stop times, the access server IP address, and (for dial-in users) the telephone number the call originated from.

The following example shows the information contained in a RADIUS EXEC accounting record for a dial-in user:

Wed Jun 25 04:26:23 1997
        NAS-IP-Address = "172.16.25.15"
        NAS-Port = 1
        User-Name = "fgeorge"
        Client-Port-DNIS = "4327528"
        Caller-ID = "5622329483"
        Acct-Status-Type = Start
        Acct-Authentic = RADIUS
        Service-Type = Exec-User
        Acct-Session-Id = "00000006"
        Acct-Delay-Time = 0
        User-Id = "fgeorge"
        NAS-Identifier = "172.16.25.15"
Wed Jun 25 04:27:25 1997
        NAS-IP-Address = "172.16.25.15"
        NAS-Port = 1
        User-Name = "fgeorge"
        Client-Port-DNIS = "4327528"
        Caller-ID = "5622329483"
        Acct-Status-Type = Stop
        Acct-Authentic = RADIUS
        Service-Type = Exec-User
        Acct-Session-Id = "00000006"
        Acct-Session-Time = 62
        Acct-Delay-Time = 0
        User-Id = "fgeorge"
        NAS-Identifier = "172.16.25.15"

The following example shows the information contained in a TACACS+ EXEC accounting record for a dial-in user:

Wed Jun 25 03:46:21 1997        172.16.25.15    fgeorge   tty3    5622329430/4327528  
start    task_id=2       service=shell
Wed Jun 25 04:08:55 1997        172.16.25.15    fgeorge   tty3    5622329430/4327528  
stop     task_id=2       service=shell   elapsed_time=1354

The following example shows the information contained in a RADIUS EXEC accounting record for a Telnet user:

Wed Jun 25 04:48:32 1997
        NAS-IP-Address = "172.16.25.15"
        NAS-Port = 26
        User-Name = "fgeorge"
        Caller-ID = "171.68.202.158"
        Acct-Status-Type = Start
        Acct-Authentic = RADIUS
        Service-Type = Exec-User
        Acct-Session-Id = "00000010"
        Acct-Delay-Time = 0
        User-Id = "fgeorge"
        NAS-Identifier = "172.16.25.15"
 
Wed Jun 25 04:48:46 1997
        NAS-IP-Address = "172.16.25.15"
        NAS-Port = 26
        User-Name = "fgeorge"
        Caller-ID = "171.68.202.158"
        Acct-Status-Type = Stop
        Acct-Authentic = RADIUS
        Service-Type = Exec-User
        Acct-Session-Id = "00000010"
        Acct-Session-Time = 14
        Acct-Delay-Time = 0
        User-Id = "fgeorge"
        NAS-Identifier = "172.16.25.15"

The following example shows the information contained in a TACACS+ EXEC accounting record for a Telnet user:

Wed Jun 25 04:06:53 1997        172.16.25.15    fgeorge   tty26   171.68.202.158  
starttask_id=41      service=shell
Wed Jun 25 04:07:02 1997        172.16.25.15    fgeorge   tty26   171.68.202.158  
stoptask_id=41       service=shell   elapsed_time=9

System Accounting

System accounting provides information about all system-level events (for example, when the system reboots or when accounting is turned on or off). The following accounting record is an example of a typical TACACS+ system accounting record server indicating that AAA accounting has been turned off:

Wed Jun 25 03:55:32 1997        172.16.25.15    unknown unknown unknown start   
task_id=25   service=system  event=sys_acct  reason=reconfigure

Note The precise format of accounting packets records may vary depending on your particular TACACS+ daemon.

The following accounting record is an example of a TACACS+ system accounting record indicating that AAA accounting has been turned on:

Wed Jun 25 03:55:22 1997        172.16.25.15    unknown unknown unknown stop    
task_id=23   service=system  event=sys_acct  reason=reconfigure

Note Cisco's implementation of RADIUS does not support system accounting.

Additional tasks for measuring system resources are covered in other chapters in the Cisco IOS software configuration guides. For example, IP accounting tasks are described in the "Configuring IP Services" chapter in the Network Protocols Configuration Guide, Part 1.

Command Accounting

Command accounting provides information about the EXEC shell commands for a specified privilege level that are being executed on a network access server. Each command accounting record includes a list of the commands executed for that privilege level, as well as the date and time each command was executed, and the user who executed it.

The following example shows the information contained in a TACACS+ command accounting record for privilege level 1:

Wed Jun 25 03:46:47 1997        172.16.25.15    fgeorge   tty3    5622329430/4327528  
stop     task_id=3       service=shell   priv-lvl=1      cmd=show version <cr>
Wed Jun 25 03:46:58 1997        172.16.25.15    fgeorge   tty3    5622329430/4327528  
stop     task_id=4       service=shell   priv-lvl=1      cmd=show interfaces Ethernet 0 
<cr>
Wed Jun 25 03:47:03 1997        172.16.25.15    fgeorge   tty3    5622329430/4327528  
stop     task_id=5       service=shell   priv-lvl=1      cmd=show ip route <cr>

The following example shows the information contained in a TACACS+ command accounting record for privilege level 15:

Wed Jun 25 03:47:17 1997        172.16.25.15    fgeorge   tty3    5622329430/4327528  
stop     task_id=6       service=shell   priv-lvl=15     cmd=configure terminal <cr>
Wed Jun 25 03:47:21 1997        172.16.25.15    fgeorge   tty3    5622329430/4327528  
stop     task_id=7       service=shell   priv-lvl=15     cmd=interface Serial 0 <cr>
Wed Jun 25 03:47:29 1997        172.16.25.15    fgeorge   tty3    5622329430/4327528  
stop     task_id=8       service=shell   priv-lvl=15     cmd=ip address 1.1.1.1 
255.255.255.0 <cr>

Note Cisco's implementation of RADIUS does not support command accounting.

AAA Accounting Prerequisites

Before configuring accounting using named method lists, you must first perform the following tasks:

AAA Accounting Configuration Task List

This section describes the following tasks:

For accounting configuration examples using the commands in this chapter, refer to the "Accounting Configuration Examples" section located at the end of the this chapter.

Configure AAA Accounting Using Named Method Lists

To configure AAA accounting using named method lists, use the following commands beginning in global configuration mode:
Step Command Purpose

1 . 

aaa accounting {system | network | exec | connection | commands level} {default | list-name} {start-stop | wait-start | stop-only | none} [method1 [method2...] ]

Create an accounting method list and enable accounting.

2 . 

line [aux | console | tty | vty] line-number [ending-line-number]

or

interface interface-type interface-number

Enter the line configuration mode for the lines to which you want to apply the accounting method list.

Enter the interface configuration mode for the interfaces to which you want to apply the accounting method list.

3 . 

accounting {arap | exec | connection | commands level} {default | list-name}

or

ppp accounting {default | list-name}

Apply the accounting method list to a line or set of lines.

Apply the accounting method list to an interface or set of interfaces.


Note System accounting does not use named method lists. For system accounting, you can only define the default method list.

Accounting Types

Named accounting method lists are specific to the indicated type of accounting. To create a method list to provide accounting information for ARAP (network) sessions, use the arap keyword. To create a method list to provide accounting records about user EXEC terminal sessions on the network access server, including username, date, start and stop times, use the exec keyword. To create a method list to provide accounting information about specific, individual EXEC commands associated with a specific privilege level, use the commands keyword. To create a method list to provide accounting information about all outbound connections made from the network access server, use the connection keyword.

System accounting does not support named method lists.

For minimal accounting, use the stop-only keyword, which instructs the specified method (RADIUS or TACACS+) to send a stop record accounting notice at the end of the requested user process. For more accounting information, use the start-stop keyword to send a start accounting notice at the beginning of the requested event and a stop accounting notice at the end of the event. You can further control access and accounting by using the wait-start keyword, which ensures that the RADIUS or TACACS+ security server acknowledges the start notice before granting the user's process request. To stop all accounting activities on this line or interface, use the none keyword.

Accounting Methods

To have the network access server send accounting information from a TACACS+ security server, use the tacacs+ method keyword. For more specific information about configuring TACACS+ for accounting services, refer to the "Configuring TACACS+" chapter.

To have the network access server send accounting information from a RADIUS security server, use the radius method keyword. For more specific information about configuring RADIUS for accounting services, refer to the "Configuring RADIUS" chapter.


Note Accounting method lists for SLIP follow whatever is configured for PPP on the relevant interface. If no lists are defined and applied to a particular interface (or no PPP settings are configured), the default setting for accounting applies.

Enable Accounting

The aaa accounting command enables you to create a record for any or all of the accounting functions monitored. To enable AAA accounting, use the following command in global configuration mode:
Command Purpose

aaa accounting {system | network | connection |
exec | command level} {start-stop | wait-start | stop-only} {tacacs+ | radius}

Enable accounting.

For minimal accounting, use the stop-only keyword, which instructs the specified authentication system (RADIUS or TACACS+) to send a stop record accounting notice at the end of the requested user process. For more accounting information, use the start-stop keyword to send a start accounting notice at the beginning of the requested event and a stop accounting notice at the end of the event. You can further control access and accounting by using the wait-start keyword, which ensures that the RADIUS or TACACS+ security server acknowledges the start notice before granting the user's process request.

Suppress Generation of Accounting Records for Null Username Sessions

When aaa accounting is activated, the Cisco IOS software issues accounting records for all users on the system, including users whose username string, because of protocol translation, is NULL. An example of this is users who come in on lines where the aaa authentication login method-list none command is applied. To prevent accounting records from being generated for sessions that do not have usernames associated with them, use the following command in global configuration mode:
Command Purpose

aaa accounting suppress null-username

Prevent accounting records from being generated for users whose username string is NULL.

Generate Interim Accounting Records

To enable periodic interim accounting records to be sent to the accounting server, use the following command in global configuration mode:
Command Purpose

aaa accounting update {newinfo | periodic number}

Enable periodic interim accounting records to be sent to the accounting server.

When the aaa accounting update command is activated, the Cisco IOS software issues interim accounting records for all users on the system. If the keyword newinfo is used, interim accounting records will be sent to the accounting server every time there is new accounting information to report. An example of this would be when IPCP completes IP address negotiation with the remote peer. The interim accounting record will include the negotiated IP address used by the remote peer.

When used with the keyword periodic, interim accounting records are sent periodically as defined by the argument number. The interim accounting record contains all of the accounting information recorded for that user up to the time the interim accounting record is sent.

Both of these keywords are mutually exclusive, meaning that whichever keyword is configured last takes precedence over the previous configuration. For example, if you configure aaa accounting update periodic, and then configure aaa accounting update newinfo, all users currently logged in will continue to generate periodic interim accounting records. All new users will generate accounting records based on the newinfo algorithm.

Caution Using the aaa accounting update periodic command can cause heavy congestion when many users are logged in to the network.

Monitor Accounting

No specific show command exists for either RADIUS or TACACS+ accounting. To obtain accounting records displaying information about users currently logged in, use the following command in Privileged EXEC mode:
Command Purpose

show accounting

Step through all active sessions and print all the accounting records for the actively accounted functions.

Accounting Attribute-Value Pairs

The network access server monitors the accounting functions defined in either TACACS+ attribute/value (AV) pairs or RADIUS attributes, depending on which security method you have implemented. For a list of supported RADIUS accounting attributes, refer to the "RADIUS Attributes" appendix. For a list of supported TACACS+ accounting AV pairs, refer to the "TACACS+ AV Pairs" appendix.

Accounting Configuration Examples

This section contains the following configuration examples:

Accounting Configuration Example

In the following sample configuration, RADIUS-style accounting is used to track all usage of EXEC commands and network services, such as SLIP, PPP, and ARAP:

aaa accounting exec start-stop radius
aaa accounting network start-stop radius

The show accounting command yields the following output for the above configuration:

Active Accounted actions on tty0, User georgef Priv 1
 Task ID 2, EXEC Accounting record, 00:02:13 Elapsed
 task_id=2 service=shell 
 Task ID 3, Connection Accounting record, 00:02:07 Elapsed
 task_id=3 service=connection protocol=telnet address=172.21.14.90 cmd=synth 
Active Accounted actions on tty1, User rubble Priv 1
 Task ID 5, Network Accounting record, 00:00:52 Elapsed
 task_id=5 service=ppp protocol=ip address=10.0.0.98 
Active Accounted actions on tty10, User georgef Priv 1
 Task ID 4, EXEC Accounting record, 00:00:53 Elapsed
 task_id=4 service=shell 

Table 11 describes the fields contained in this example.


Table 11:
Field Description

Active Accounted actions on

Terminal line or interface name user with which the user logged in.

User

User's ID

Priv

User's privilege level.

Task ID

Unique identifier for each accounting session.

Accounting Record

Type of accounting session.

Elapsed

Length of time (hh:mm:ss) for this session type.

attribute=value

AV pairs associated with this accounting session.

Show Accounting Field Descriptions

Named Method List Configuration Example

The following example configures a Cisco AS5200 (enabled for AAA and communication with a RADIUS security server) for AAA services to be provided by the RADIUS server. If the RADIUS server fails to respond, then the local database will be queried for authentication and authorization information, and accounting services will be handled by a TACACS+ server.

aaa new-model
aaa authentication login admins local
aaa authentication ppp dialins radius local
aaa authorization network scoobee radius local
aaa accounting network charley start-stop radius
username root password ALongPassword
radius-server host alcatraz
radius-server key myRaDiUSpassWoRd
interface group-async 1
  group-range 1 16
  encapsulation ppp
  ppp authentication chap dialins
  ppp authorization scoobee
  ppp accounting charley
line 1 16
  autoselect ppp
  autoselect during-login
  login authentication admins
  modem dialin

The lines in this sample RADIUS AAA configuration are defined as follows:


hometocprevnextglossaryfeedbacksearchhelp
Copyright 1989-1998 © Cisco Systems Inc.