index_148
Router Security Configuration Guide
UNCLASSIFIED
148
UNCLASSIFIED
Version 1.0g
servers. Periodic generates more accounting records than newinfo since it
will also include interim reports on actions in progress.
§ (line): accounting {arap | commands level | connection |
exec} [default | list-name] can be used to apply different
accounting services and le vels to different lines.
§ show accounting {system | network | exec | commands level}
{start-stop | wait-start | stop-only} tacacs+ command can
be used to show active connection information. This is not a configuration
command but is worth mention.
AAA allows for four levels of accounting as set by the aaa accounting command:
§ start-stop accounting sends records when the accounting type starts and
stops. This is all done in the background and the user process will
continue regardless of the outcome of the accounting attempt.
§ wait-start accounting sends an accounting record at the start and stop of
each specified type. In this case the user process can not continue, and
will actually be terminated, if the start accounting record can not be
recorded. If the start record is sent and acknowledged the user process can
continue and at the end a stop accounting record will also be sent.
§ stop-only sends an accounting record at the end user process which is of an
accountable type.
§ none specifies that no accounting records will be generated for a particular
accounting type.
Important: if wait-start accounting is specified on an interface or line and no security
server is available for receiving the accounting record then the user process using that
interface or line will be locked out. So don't use wait-start on the console line! A
basic recommendation would be to use wait-start for remote users and start-stop for
local users. For command accounting stop-only will provide the necessary coverage
and will greatly reduce the number of accounting records.
As mentioned earlier Cisco's RADIUS implementation does not support system and
command accounting. Therefore, there are two basic scenarios for accounting
depending upon which security server is in use.
Configuration of TACACS+ accounting:
Central(config)# aaa accounting system default start-stop tacacs+
Central(config)# aaa accounting exec default start-stop tacacs+
Central(config)# aaa accounting exec remoteacc wait-start tacacs+
Central(config)# aaa accounting commands 15 cmdacc stop-only
tacacs+
Central(config)# aaa accounting connection default start-stop
tacacs+
Central(config)# line vty 0 4
Central(config-line)# accounting exec remoteacc