Dial Solutions Configuration Guide
Configuring Accounting
Download this chapter
Configuring AccountingConfiguring Accounting
give_us_feedback

Table Of Contents

Configuring Accounting

AAA Accounting Types

Command Accounting

Connection Accounting

EXEC Accounting

Network Accounting

System Accounting

Configuring AAA Accounting

Prerequisites

Enable Accounting

Accounting Attribute/Value Pairs

Monitor Accounting

Accounting Example


Configuring Accounting

The AAA accounting feature enables you to track the services users are accessing as well as the amount of network resources they are consuming. When aaa accounting is activated, the network access server reports user activity to the TACACS+ or RADIUS security server (depending on which security method you have implemented) in the form of accounting records. Each accounting record is comprised of accounting attribute-value (AV) pairs and is stored in a log file on the access control server. This log file can then be analyzed for network management, client billing, and auditing.

Note   For additional information about these security tools and features, refer to the Security Configuration Guide or the Security Command Reference.

AAA Accounting Types

Cisco IOS Release 11.3 supports five different kinds of accounting:

Command Accounting

Connection Accounting

EXEC Accounting

Network Accounting

System Accounting

Command Accounting

Command accounting provides information about the EXEC shell commands for a specified privilege level that are being executed on a network access server. Each command accounting record includes a list of the commands executed for that privilege level, as well as the date and time each command was executed, and the user who executed it.

The following example shows the information contained in a TACACS+ command accounting record for privilege level 1: 

Wed Jun 25 03:46:47 1997        172.16.25.15    dpeng   tty3    4082329430/4327528  stop     
task_id=3       service=shell   priv-lvl=1      cmd=show version <cr>

Wed Jun 25 03:46:58 1997        172.16.25.15    dpeng   tty3    4082329430/4327528  stop     
task_id=4       service=shell   priv-lvl=1      cmd=show interfaces Ethernet 0 <cr>

Wed Jun 25 03:47:03 1997        172.16.25.15    dpeng   tty3    4082329430/4327528  stop     
task_id=5       service=shell   priv-lvl=1      cmd=show ip route <cr>

The following example shows the information contained in a TACACS+ command accounting record for privilege level 15: 

Wed Jun 25 03:47:17 1997        172.16.25.15    dpeng   tty3    4082329430/4327528  stop     
task_id=6       service=shell   priv-lvl=15     cmd=configure terminal <cr>

Wed Jun 25 03:47:21 1997        172.16.25.15    dpeng   tty3    4082329430/4327528  stop     
task_id=7       service=shell   priv-lvl=15     cmd=interface Serial 0 <cr>

Wed Jun 25 03:47:29 1997        172.16.25.15    dpeng   tty3    4082329430/4327528  stop     
task_id=8       service=shell   priv-lvl=15     cmd=ip address 1.1.1.1 255.255.255.0 <cr>

Note   Cisco's implementation of RADIUS does not support command accounting.

Connection Accounting

Connection accounting provides information about all outbound connections made from the network access server, such as Telnet, local-area transport (LAT), tn3270, packet assembler-disassembler (PAD), and rlogin.

The following example shows the information contained in a RADIUS connection accounting record for an outbound Telnet connection: 

Wed Jun 25 04:28:00 1997

        NAS-IP-Address = "172.16.25.15"

        NAS-Port = 2

        User-Name = "dpeng"

        Client-Port-DNIS = "4327528"

        Caller-ID = "4082329477"

        Acct-Status-Type = Start

        Acct-Authentic = RADIUS

        Service-Type = Login

        Acct-Session-Id = "00000008"

        Login-Service = Telnet

        Login-IP-Host = "171.68.202.158"

        Acct-Delay-Time = 0

        User-Id = "dpeng"

        NAS-Identifier = "172.16.25.15"

Wed Jun 25 04:28:39 1997

        NAS-IP-Address = "172.16.25.15"

        NAS-Port = 2

        User-Name = "dpeng"

        Client-Port-DNIS = "4327528"

        Caller-ID = "4082329477"

        Acct-Status-Type = Stop

        Acct-Authentic = RADIUS

        Service-Type = Login

        Acct-Session-Id = "00000008"

        Login-Service = Telnet

        Login-IP-Host = "171.68.202.158"

        Acct-Input-Octets = 10774

        Acct-Output-Octets = 112

        Acct-Input-Packets = 91

        Acct-Output-Packets = 99

        Acct-Session-Time = 39

        Acct-Delay-Time = 0

        User-Id = "dpeng"

        NAS-Identifier = "172.16.25.15"

The following example shows the information contained in a TACACS+ connection accounting record for an outbound Telnet connection: 

Wed Jun 25 03:47:43 1997        172.16.25.15    dpeng   tty3    4082329430/4327528  start    
task_id=10      service=connection      protocol=telnet addr=171.68.202.158 cmd=telnet 
dpeng-sun

Wed Jun 25 03:48:38 1997        172.16.25.15    dpeng   tty3    4082329430/4327528  stop     
task_id=10      service=connection      protocol=telnet addr=171.68.202.158 cmd=telnet 
dpeng-sun     bytes_in=4467   bytes_out=96    paks_in=61      paks_out=72 e

lapsed_time=55

The following example shows the information contained in a RADIUS connection accounting record for an outbound rlogin connection: 

Wed Jun 25 04:29:48 1997

        NAS-IP-Address = "172.16.25.15"

        NAS-Port = 2

        User-Name = "dpeng"

        Client-Port-DNIS = "4327528"

        Caller-ID = "4082329477"

        Acct-Status-Type = Start

        Acct-Authentic = RADIUS

        Service-Type = Login

        Acct-Session-Id = "0000000A"

        Login-Service = Rlogin

        Login-IP-Host = "171.68.202.158"

        Acct-Delay-Time = 0

        User-Id = "dpeng"

        NAS-Identifier = "172.16.25.15"

Wed Jun 25 04:30:09 1997

        NAS-IP-Address = "172.16.25.15"

        NAS-Port = 2

        User-Name = "dpeng"

        Client-Port-DNIS = "4327528"

        Caller-ID = "4082329477"

        Acct-Status-Type = Stop

        Acct-Authentic = RADIUS

        Service-Type = Login

        Acct-Session-Id = "0000000A"

        Login-Service = Rlogin

        Login-IP-Host = "171.68.202.158"

        Acct-Input-Octets = 18686

        Acct-Output-Octets = 86

        Acct-Input-Packets = 90

        Acct-Output-Packets = 68

        Acct-Session-Time = 22

        Acct-Delay-Time = 0

        User-Id = "dpeng"

        NAS-Identifier = "172.16.25.15"

The following example shows the information contained in a TACACS+ connection accounting record for an outbound rlogin connection: 

Wed Jun 25 03:48:46 1997        172.16.25.15    dpeng   tty3    4082329430/4327528  start    
task_id=12      service=connection      protocol=rlogin addr=171.68.202.158 cmd=rlogin 
dpeng-sun /user dpeng

Wed Jun 25 03:51:37 1997        172.16.25.15    dpeng   tty3    4082329430/4327528  stop     
task_id=12      service=connection      protocol=rlogin addr=171.68.202.158 cmd=rlogin 
dpeng-sun /user dpeng bytes_in=659926 bytes_out=138   paks_in=2378    paks_

out=1251        elapsed_time=171

The following example shows the information contained in a TACACS+ connection accounting record for an outbound LAT connection: 

Wed Jun 25 03:53:06 1997        172.16.25.15    dpeng   tty3    4082329430/4327528  start    
task_id=18      service=connection      protocol=lat    addr=VAX        cmd=lat VAX

Wed Jun 25 03:54:15 1997        172.16.25.15    dpeng   tty3    4082329430/4327528  stop     
task_id=18      service=connection      protocol=lat    addr=VAX        cmd=lat VAX  
bytes_in=0      bytes_out=0     paks_in=0      paks_out=0      elapsed_time=6

EXEC Accounting

EXEC accounting provides information about user EXEC terminal sessions (user shells) on the network access server, including user name, date, start and stop times, the access server IP address, and (for dial-in users) the telephone number the call originated from.

The following example shows the information contained in a RADIUS EXEC accounting record for a dial-in user: 

Wed Jun 25 04:26:23 1997

        NAS-IP-Address = "172.16.25.15"

        NAS-Port = 1

        User-Name = "dpeng"

        Client-Port-DNIS = "4327528"

        Caller-ID = "4082329483"

        Acct-Status-Type = Start

        Acct-Authentic = RADIUS

        Service-Type = Exec-User

        Acct-Session-Id = "00000006"

        Acct-Delay-Time = 0

        User-Id = "dpeng"

        NAS-Identifier = "172.16.25.15"


Wed Jun 25 04:27:25 1997

        NAS-IP-Address = "172.16.25.15"

        NAS-Port = 1

        User-Name = "dpeng"

        Client-Port-DNIS = "4327528"

        Caller-ID = "4082329483"

        Acct-Status-Type = Stop

        Acct-Authentic = RADIUS

        Service-Type = Exec-User

        Acct-Session-Id = "00000006"

        Acct-Session-Time = 62

        Acct-Delay-Time = 0

        User-Id = "dpeng"

        NAS-Identifier = "172.16.25.15"

The following example shows the information contained in a TACACS+ EXEC accounting record for a dial-in user: 

Wed Jun 25 03:46:21 1997        172.16.25.15    dpeng   tty3    4082329430/4327528  start    
task_id=2       service=shell

Wed Jun 25 04:08:55 1997        172.16.25.15    dpeng   tty3    4082329430/4327528  stop     
task_id=2       service=shell   elapsed_time=1354

The following example shows the information contained in a RADIUS EXEC accounting record for a Telnet user: 

Wed Jun 25 04:48:32 1997

        NAS-IP-Address = "172.16.25.15"

        NAS-Port = 26

        User-Name = "dpeng"

        Caller-ID = "171.68.202.158"

        Acct-Status-Type = Start

        Acct-Authentic = RADIUS

        Service-Type = Exec-User

        Acct-Session-Id = "00000010"

        Acct-Delay-Time = 0

        User-Id = "dpeng"

        NAS-Identifier = "172.16.25.15"

Wed Jun 25 04:48:46 1997

        NAS-IP-Address = "172.16.25.15"

        NAS-Port = 26

        User-Name = "dpeng"

        Caller-ID = "171.68.202.158"

        Acct-Status-Type = Stop

        Acct-Authentic = RADIUS

        Service-Type = Exec-User

        Acct-Session-Id = "00000010"

        Acct-Session-Time = 14

        Acct-Delay-Time = 0

        User-Id = "dpeng"

        NAS-Identifier = "172.16.25.15"

The following example shows the information contained in a TACACS+ EXEC accounting record for a Telnet user: 

Wed Jun 25 04:06:53 1997        172.16.25.15    dpeng   tty26   171.68.202.158  
starttask_id=41      service=shell

Wed Jun 25 04:07:02 1997        172.16.25.15    dpeng   tty26   171.68.202.158  
stoptask_id=41       service=shell   elapsed_time=9

Network Accounting

Network accounting provides information for all PPP, SLIP or ARAP sessions, including packet and byte counts.

The following example shows the information contained in a RADIUS network accounting record for a PPP user who comes in through an EXEC session: 

Wed Jun 25 04:44:45 1997

        NAS-IP-Address = "172.16.25.15"

        NAS-Port = 5

        User-Name = "dpeng"

        Client-Port-DNIS = "4327528"

        Caller-ID = "408"

        Acct-Status-Type = Start

        Acct-Authentic = RADIUS

        Service-Type = Exec-User

        Acct-Session-Id = "0000000D"

        Acct-Delay-Time = 0

        User-Id = "dpeng"

        NAS-Identifier = "172.16.25.15"

Wed Jun 25 04:45:00 1997

        NAS-IP-Address = "172.16.25.15"

        NAS-Port = 5

        User-Name = "dpeng"

        Client-Port-DNIS = "4327528"

        Caller-ID = "408"

        Acct-Status-Type = Start

        Acct-Authentic = RADIUS

        Service-Type = Framed

        Acct-Session-Id = "0000000E"

        Framed-IP-Address = "10.1.1.2"

        Framed-Protocol = PPP

        Acct-Delay-Time = 0

        User-Id = "dpeng"

        NAS-Identifier = "172.16.25.15"

Wed Jun 25 04:47:46 1997

        NAS-IP-Address = "172.16.25.15"

        NAS-Port = 5

        User-Name = "dpeng"

        Client-Port-DNIS = "4327528"

        Caller-ID = "408"

        Acct-Status-Type = Stop

        Acct-Authentic = RADIUS

        Service-Type = Framed

        Acct-Session-Id = "0000000E"

        Framed-IP-Address = "10.1.1.2"

        Framed-Protocol = PPP

        Acct-Input-Octets = 3075

        Acct-Output-Octets = 167

        Acct-Input-Packets = 39

        Acct-Output-Packets = 9

        Acct-Session-Time = 171

        Acct-Delay-Time = 0

        User-Id = "dpeng"

        NAS-Identifier = "172.16.25.15"

The following example shows the information contained in a TACACS+ network accounting record for a PPP user who first started an EXEC session: 

Wed Jun 25 04:00:35 1997        172.16.25.15    dpeng   tty4    408/4327528     
starttask_id=28      service=shell

Wed Jun 25 04:00:46 1997        172.16.25.15    dpeng   tty4    408/4327528     
starttask_id=30      addr=10.1.1.1   service=ppp

Wed Jun 25 04:00:49 1997        172.16.25.15    dpeng   tty4    408/4327528     update       
task_id=30      addr=10.1.1.1   service=ppp     protocol=ip     addr=10.1.1.1

Wed Jun 25 04:01:31 1997        172.16.25.15    dpeng   tty4    408/4327528     stoptask_id=30       
addr=10.1.1.1   service=ppp     protocol=ip     addr=10.1.1.1   bytes_in=2844        
bytes_out=1682  paks_in=36      paks_out=24     elapsed_time=51

Wed Jun 25 04:01:32 1997        172.16.25.15    dpeng   tty4    408/4327528     stoptask_id=28       
service=shell   elapsed_time=57

The following example shows the information contained in a RADIUS network accounting record for a PPP user who comes in through autoselect: 

Wed Jun 25 04:30:52 1997

        NAS-IP-Address = "172.16.25.15"

        NAS-Port = 3

        User-Name = "dpeng"

        Client-Port-DNIS = "4327528"

        Caller-ID = "408"

        Acct-Status-Type = Start

        Acct-Authentic = RADIUS

        Service-Type = Framed

        Acct-Session-Id = "0000000B"

        Framed-Protocol = PPP

        Acct-Delay-Time = 0

        User-Id = "dpeng"

        NAS-Identifier = "172.16.25.15"

Wed Jun 25 04:36:49 1997

        NAS-IP-Address = "172.16.25.15"

        NAS-Port = 3

        User-Name = "dpeng"

        Client-Port-DNIS = "4327528"

        Caller-ID = "408"

        Acct-Status-Type = Stop

        Acct-Authentic = RADIUS

        Service-Type = Framed

        Acct-Session-Id = "0000000B"

        Framed-Protocol = PPP

        Framed-IP-Address = "10.1.1.1"

        Acct-Input-Octets = 8630

        Acct-Output-Octets = 5722

        Acct-Input-Packets = 94

        Acct-Output-Packets = 64

        Acct-Session-Time = 357

        Acct-Delay-Time = 0

        User-Id = "dpeng"

        NAS-Identifier = "172.16.25.15"

The following example shows the information contained in a TACACS+ network accounting record for a PPP user who comes in through autoselect: 

Wed Jun 25 04:02:19 1997        172.16.25.15    dpeng   Async5  408/4327528     
starttask_id=35      service=ppp

Wed Jun 25 04:02:25 1997        172.16.25.15    dpeng   Async5  408/4327528     update       
task_id=35      service=ppp     protocol=ip     addr=10.1.1.2

Wed Jun 25 04:05:03 1997        172.16.25.15    dpeng   Async5  408/4327528     
stoptask_id=35       service=ppp     protocol=ip     addr=10.1.1.2   bytes_in=3366   
bytes_out=2149       paks_in=42      paks_out=28     elapsed_time=164

System Accounting

System accounting provides information about all system-level events, (for example, when the system reboots, or when accounting is turned on or off).

The following accounting record is an example of a typical TACACS+ system accounting record server indicating that AAA accounting has been turned off: 

Wed Jun 25 03:55:32 1997        172.16.25.15    unknown unknown unknown start   task_id=25   
service=system  event=sys_acct  reason=reconfigure

The following accounting record is an example of a TACACS+ system accounting record indicating that AAA accounting has been turned on: 

Wed Jun 25 03:55:22 1997        172.16.25.15    unknown unknown unknown stop    task_id=23   
service=system  event=sys_acct  reason=reconfigure

Note   Cisco's implementation of RADIUS does not support system accounting.

Additional tasks for measuring system resources are covered in other chapters in the Cisco IOS software configuration guides. For example, IP accounting tasks are described in the "Configuring IP Services" chapter in the Network Protocols Configuration Guide, Part 1.

Configuring AAA Accounting

This chapter describes the following tasks:

Enable Accounting

Monitor Accounting

Prerequisites

Before configuring AAA accounting, you must first:

Enable AAA on your network access server.

Define the characteristics of your RADIUS or TACACS+ security server.

Enable Accounting

The aaa accounting command allows you to create a record for any or all of the accounting functions monitored. To enable AAA accounting, perform the following task in global configuration mode:

Task
Command

Enable accounting.

aaa accounting {system | network | connection |
exec | command level} {start-stop | wait-start | stop-only} {tacacs+ | radius}


For minimal accounting, use the stop-only keyword, which instructs the specified authentication system (RADIUS or TACACS+) to send a stop record accounting notice at the end of the requested user process. For more accounting information, use the start-stop keyword to send a start accounting notice at the beginning of the requested process and a stop accounting notice at the end of the process. You can further control access and accounting by using the wait-start keyword, which ensures that the RADIUS or TACACS+ security server receives the start notice before granting the user's process request.

When aaa accounting is activated, the Cisco IOS software issues accounting records for all users on the system, including users whose username string, because of protocol translation, is NULL. To prevent accounting records from being generated for users who do not have usernames associated with them, perform the following task in global configuration mode:

Task
Command

Prevent accounting records from being generated for users whose username string is NULL.

aaa accounting suppress null-username


Accounting Attribute/Value Pairs

The network access server monitors the accounting functions defined in either TACACS+ attribute/value (AV) pairs or RADIUS attributes, depending on which security method you have implemented. For a list of supported RADIUS accounting attributes, refer to the "Radius Attributes" chapter in the Security Configuration Guide. For a list of supported TACACS+ accounting AV pairs, refer to the "TACACS+ AV Pairs" chapter in the Security Configuration Guide.

Monitor Accounting

No specific show command exists for either RADIUS or TACACS+. To obtain accounting records displaying information about users currently logged in, perform the following task in EXEC mode:

Task
Command

Step through all active sessions to print all the accounting records for the actively accounted functions.

show accounting


Accounting Example

In the following sample configuration, RADIUS-style authorization is used to track all usage of the following:

EXEC commands

Network services, such as SLIP, PPP, and ARAP

System-level events not associated with users 

aaa accounting exec start-stop radius

aaa accounting network start-stop radius

aaa accounting system start-stop radius

The show accounting command yields the following output for the above configuration: 

Active Accounted actions on tty0, User billw Priv 1

 Task ID 2, EXEC Accounting record, 00:02:13 Elapsed

 task_id=2 service=shell 

 Task ID 3, Connection Accounting record, 00:02:07 Elapsed

 task_id=3 service=connection protocol=telnet address=172.21.14.90 cmd=synth 


Active Accounted actions on tty1, User rubble Priv 1

 Task ID 5, Network Accounting record, 00:00:52 Elapsed

 task_id=5 service=ppp protocol=ip address=10.0.0.98 


Active Accounted actions on tty10, User bill Priv 1

 Task ID 4, EXEC Accounting record, 00:00:53 Elapsed

 task_id=4 service=shell