Security Configuration Guide
Configuring Accounting
Download this chapter
Configuring AccountingConfiguring Accounting
give_us_feedback

Table Of Contents

Configuring Accounting

AAA Accounting Types

Network Accounting

Connection Accounting

EXEC Accounting

System Accounting

Command Accounting

AAA Accounting Prerequisites

AAA Accounting Configuration Task List

Enable Accounting

Suppress Generation of Accounting Records for Null Username Sessions

Generate Interim Accounting Records

Monitor Accounting

Accounting Attribute-Value Pairs

Accounting Configuration Example


Configuring Accounting

The AAA accounting feature enables you to track the services users are accessing as well as the amount of network resources they are consuming. When aaa accounting is enabled, the network access server reports user activity to the TACACS+ or RADIUS security server (depending on which security method you have implemented) in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, and/or auditing.

This chapter describes the following topics and tasks:

AAA Accounting Types

AAA Accounting Prerequisites

AAA Accounting Configuration Task List

Enable Accounting

Monitor Accounting

Accounting Attribute-Value Pairs

Accounting Configuration Example

For a complete description of the accounting commands used in this chapter, refer to the "Accounting Commands" chapter in the Security Command Reference. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online.

AAA Accounting Types

Cisco IOS software supports five different kinds of accounting:

Network Accounting

Connection Accounting

EXEC Accounting

System Accounting

Command Accounting

Network Accounting

Network accounting provides information for all PPP, SLIP, or ARAP sessions, including packet and byte counts.

The following example shows the information contained in a RADIUS network accounting record for a PPP user who comes in through an EXEC session: 

Wed Jun 25 04:44:45 1997

        NAS-IP-Address = "172.16.25.15"

        NAS-Port = 5

        User-Name = "fgeorge"

        Client-Port-DNIS = "4327528"

        Caller-ID = "562"

        Acct-Status-Type = Start

        Acct-Authentic = RADIUS

        Service-Type = Exec-User

        Acct-Session-Id = "0000000D"

        Acct-Delay-Time = 0

        User-Id = "fgeorge"

        NAS-Identifier = "172.16.25.15"

Wed Jun 25 04:45:00 1997

        NAS-IP-Address = "172.16.25.15"

        NAS-Port = 5

        User-Name = "fgeorge"

        Client-Port-DNIS = "4327528"

        Caller-ID = "562"

        Acct-Status-Type = Start

        Acct-Authentic = RADIUS

        Service-Type = Framed

        Acct-Session-Id = "0000000E"

        Framed-IP-Address = "10.1.1.2"

        Framed-Protocol = PPP

        Acct-Delay-Time = 0

        User-Id = "fgeorge"

        NAS-Identifier = "172.16.25.15"


Wed Jun 25 04:47:46 1997

        NAS-IP-Address = "172.16.25.15"

        NAS-Port = 5

        User-Name = "fgeorge"

        Client-Port-DNIS = "4327528"

        Caller-ID = "562"

        Acct-Status-Type = Stop

        Acct-Authentic = RADIUS

        Service-Type = Framed

        Acct-Session-Id = "0000000E"

        Framed-IP-Address = "10.1.1.2"

        Framed-Protocol = PPP

        Acct-Input-Octets = 3075

        Acct-Output-Octets = 167

        Acct-Input-Packets = 39

        Acct-Output-Packets = 9

        Acct-Session-Time = 171

        Acct-Delay-Time = 0

        User-Id = "fgeorge"

        NAS-Identifier = "172.16.25.15"


Wed Jun 25 04:48:45 1997

        NAS-IP-Address = "172.16.25.15"

        NAS-Port = 5

        User-Name = "fgeorge"

        Client-Port-DNIS = "4327528"

        Caller-ID = "408"

        Acct-Status-Type = Stop

        Acct-Authentic = RADIUS

        Service-Type = Exec-User

        Acct-Session-Id = "0000000D"

        Acct-Delay-Time = 0

        User-Id = "fgeorge"

        NAS-Identifier = "172.16.25.15"

The following example shows the information contained in a TACACS+ network accounting record for a PPP user who first started an EXEC session: 

Wed Jun 25 04:00:35 1997        172.16.25.15    fgeorge   tty4    562/4327528     
starttask_id=28      service=shell

Wed Jun 25 04:00:46 1997        172.16.25.15    fgeorge   tty4 562/4327528     
starttask_id=30      addr=10.1.1.1   service=ppp

Wed Jun 25 04:00:49 1997        172.16.25.15    fgeorge   tty4    408/4327528     update       
task_id=30      addr=10.1.1.1   service=ppp     protocol=ip     addr=10.1.1.1

Wed Jun 25 04:01:31 1997        172.16.25.15    fgeorge   tty4    562/4327528     
stoptask_id=30       addr=10.1.1.1   service=ppp     protocol=ip     addr=10.1.1.1   
bytes_in=2844        bytes_out=1682  paks_in=36      paks_out=24     elapsed_time=51

Wed Jun 25 04:01:32 1997        172.16.25.15    fgeorge   tty4    562/4327528     
stoptask_id=28       service=shell   elapsed_time=57

Note   The precise format of accounting packets records may vary depending on your particular security server daemon.

The following example shows the information contained in a RADIUS network accounting record for a PPP user who comes in through autoselect: 

Wed Jun 25 04:30:52 1997

        NAS-IP-Address = "172.16.25.15"

        NAS-Port = 3

        User-Name = "fgeorge"

        Client-Port-DNIS = "4327528"

        Caller-ID = "562"

        Acct-Status-Type = Start

        Acct-Authentic = RADIUS

        Service-Type = Framed

        Acct-Session-Id = "0000000B"

        Framed-Protocol = PPP

        Acct-Delay-Time = 0

        User-Id = "fgeorge"

        NAS-Identifier = "172.16.25.15"

Wed Jun 25 04:36:49 1997

        NAS-IP-Address = "172.16.25.15"

        NAS-Port = 3

        User-Name = "fgeorge"

        Client-Port-DNIS = "4327528"

        Caller-ID = "562"

        Acct-Status-Type = Stop

        Acct-Authentic = RADIUS

        Service-Type = Framed

        Acct-Session-Id = "0000000B"

        Framed-Protocol = PPP

        Framed-IP-Address = "10.1.1.1"

        Acct-Input-Octets = 8630

        Acct-Output-Octets = 5722

        Acct-Input-Packets = 94

        Acct-Output-Packets = 64

        Acct-Session-Time = 357

        Acct-Delay-Time = 0

        User-Id = "fgeorge"

        NAS-Identifier = "172.16.25.15"

The following example shows the information contained in a TACACS+ network accounting record for a PPP user who comes in through autoselect: 

Wed Jun 25 04:02:19 1997        172.16.25.15    fgeorge   Async5  562/4327528     
starttask_id=35      service=ppp

Wed Jun 25 04:02:25 1997        172.16.25.15    fgeorge   Async5  562/4327528     update       
task_id=35      service=ppp     protocol=ip     addr=10.1.1.2

Wed Jun 25 04:05:03 1997        172.16.25.15    fgeorge   Async5  562/4327528     
stoptask_id=35       service=ppp     protocol=ip     addr=10.1.1.2   bytes_in=3366   
bytes_out=2149       paks_in=42      paks_out=28     elapsed_time=164

Connection Accounting

Connection accounting provides information about all outbound connections made from the network access server, such as Telnet, local-area transport (LAT), TN3270, packet assembly-disassembly (PAD), and rlogin.

The following example shows the information contained in a RADIUS connection accounting record for an outbound Telnet connection: 

Wed Jun 25 04:28:00 1997

        NAS-IP-Address = "172.16.25.15"

        NAS-Port = 2

        User-Name = "fgeorge"

        Client-Port-DNIS = "4327528"

        Caller-ID = "5622329477"

        Acct-Status-Type = Start

        Acct-Authentic = RADIUS

        Service-Type = Login

        Acct-Session-Id = "00000008"

        Login-Service = Telnet

        Login-IP-Host = "171.68.202.158"

        Acct-Delay-Time = 0

        User-Id = "fgeorge"

        NAS-Identifier = "172.16.25.15"

Wed Jun 25 04:28:39 1997

        NAS-IP-Address = "172.16.25.15"

        NAS-Port = 2

        User-Name = "fgeorge"

        Client-Port-DNIS = "4327528"

        Caller-ID = "5622329477"

        Acct-Status-Type = Stop

        Acct-Authentic = RADIUS

        Service-Type = Login

        Acct-Session-Id = "00000008"

        Login-Service = Telnet

        Login-IP-Host = "171.68.202.158"

        Acct-Input-Octets = 10774

        Acct-Output-Octets = 112

        Acct-Input-Packets = 91

        Acct-Output-Packets = 99

        Acct-Session-Time = 39

        Acct-Delay-Time = 0

        User-Id = "fgeorge"

        NAS-Identifier = "172.16.25.15"

The following example shows the information contained in a TACACS+ connection accounting record for an outbound Telnet connection: 

Wed Jun 25 03:47:43 1997        172.16.25.15    fgeorge   tty3    5622329430/4327528  
start    task_id=10      service=connection      protocol=telnet addr=171.68.202.158 
cmd=telnet fgeorge-sun

Wed Jun 25 03:48:38 1997        172.16.25.15    fgeorge   tty3    5622329430/4327528  stop     
task_id=10      service=connection      protocol=telnet addr=171.68.202.158 cmd=telnet 
fgeorge-sun     bytes_in=4467   bytes_out=96    paks_in=61      paks_out=72 e

lapsed_time=55

The following example shows the information contained in a RADIUS connection accounting record for an outbound rlogin connection: 

Wed Jun 25 04:29:48 1997

        NAS-IP-Address = "172.16.25.15"

        NAS-Port = 2

        User-Name = "fgeorge"

        Client-Port-DNIS = "4327528"

        Caller-ID = "5622329477"

        Acct-Status-Type = Start

        Acct-Authentic = RADIUS

        Service-Type = Login

        Acct-Session-Id = "0000000A"

        Login-Service = Rlogin

        Login-IP-Host = "171.68.202.158"

        Acct-Delay-Time = 0

        User-Id = "fgeorge"

        NAS-Identifier = "172.16.25.15"

Wed Jun 25 04:30:09 1997

        NAS-IP-Address = "172.16.25.15"

        NAS-Port = 2

        User-Name = "fgeorge"

        Client-Port-DNIS = "4327528"

        Caller-ID = "5622329477"

        Acct-Status-Type = Stop

        Acct-Authentic = RADIUS

        Service-Type = Login

        Acct-Session-Id = "0000000A"

        Login-Service = Rlogin

        Login-IP-Host = "171.68.202.158"

        Acct-Input-Octets = 18686

        Acct-Output-Octets = 86

        Acct-Input-Packets = 90

        Acct-Output-Packets = 68

        Acct-Session-Time = 22

        Acct-Delay-Time = 0

        User-Id = "fgeorge"

        NAS-Identifier = "172.16.25.15"

The following example shows the information contained in a TACACS+ connection accounting record for an outbound rlogin connection: 

Wed Jun 25 03:48:46 1997        172.16.25.15    fgeorge   tty3    5622329430/4327528  
start    task_id=12      service=connection      protocol=rlogin addr=171.68.202.158 
cmd=rlogin fgeorge-sun /user fgeorge

Wed Jun 25 03:51:37 1997        172.16.25.15    fgeorge   tty3    5622329430/4327528  stop     
task_id=12      service=connection      protocol=rlogin addr=171.68.202.158 cmd=rlogin 
fgeorge-sun /user fgeorge bytes_in=659926 bytes_out=138   paks_in=2378    paks_

out=1251        elapsed_time=171

The following example shows the information contained in a TACACS+ connection accounting record for an outbound LAT connection: 

Wed Jun 25 03:53:06 1997        172.16.25.15    fgeorge   tty3    5622329430/4327528  
start    task_id=18      service=connection      protocol=lat    addr=VAX        cmd=lat VAX

Wed Jun 25 03:54:15 1997        172.16.25.15    fgeorge   tty3    5622329430/4327528  stop     
task_id=18      service=connection      protocol=lat    addr=VAX        cmd=lat VAX  
bytes_in=0      bytes_out=0     paks_in=0      paks_out=0      elapsed_time=6

EXEC Accounting

EXEC accounting provides information about user EXEC terminal sessions (user shells) on the network access server, including username, date, start and stop times, the access server IP address, and (for dial-in users) the telephone number the call originated from.

The following example shows the information contained in a RADIUS EXEC accounting record for a dial-in user: 

Wed Jun 25 04:26:23 1997

        NAS-IP-Address = "172.16.25.15"

        NAS-Port = 1

        User-Name = "fgeorge"

        Client-Port-DNIS = "4327528"

        Caller-ID = "5622329483"

        Acct-Status-Type = Start

        Acct-Authentic = RADIUS

        Service-Type = Exec-User

        Acct-Session-Id = "00000006"

        Acct-Delay-Time = 0

        User-Id = "fgeorge"

        NAS-Identifier = "172.16.25.15"


Wed Jun 25 04:27:25 1997

        NAS-IP-Address = "172.16.25.15"

        NAS-Port = 1

        User-Name = "fgeorge"

        Client-Port-DNIS = "4327528"

        Caller-ID = "5622329483"

        Acct-Status-Type = Stop

        Acct-Authentic = RADIUS

        Service-Type = Exec-User

        Acct-Session-Id = "00000006"

        Acct-Session-Time = 62

        Acct-Delay-Time = 0

        User-Id = "fgeorge"

        NAS-Identifier = "172.16.25.15"

The following example shows the information contained in a TACACS+ EXEC accounting record for a dial-in user: 

Wed Jun 25 03:46:21 1997        172.16.25.15    fgeorge   tty3    5622329430/4327528  
start    task_id=2       service=shell

Wed Jun 25 04:08:55 1997        172.16.25.15    fgeorge   tty3    5622329430/4327528  stop     
task_id=2       service=shell   elapsed_time=1354

The following example shows the information contained in a RADIUS EXEC accounting record for a Telnet user: 

Wed Jun 25 04:48:32 1997

        NAS-IP-Address = "172.16.25.15"

        NAS-Port = 26

        User-Name = "fgeorge"

        Caller-ID = "171.68.202.158"

        Acct-Status-Type = Start

        Acct-Authentic = RADIUS

        Service-Type = Exec-User

        Acct-Session-Id = "00000010"

        Acct-Delay-Time = 0

        User-Id = "fgeorge"

        NAS-Identifier = "172.16.25.15"

Wed Jun 25 04:48:46 1997

        NAS-IP-Address = "172.16.25.15"

        NAS-Port = 26

        User-Name = "fgeorge"

        Caller-ID = "171.68.202.158"

        Acct-Status-Type = Stop

        Acct-Authentic = RADIUS

        Service-Type = Exec-User

        Acct-Session-Id = "00000010"

        Acct-Session-Time = 14

        Acct-Delay-Time = 0

        User-Id = "fgeorge"

        NAS-Identifier = "172.16.25.15"

The following example shows the information contained in a TACACS+ EXEC accounting record for a Telnet user: 

Wed Jun 25 04:06:53 1997        172.16.25.15    fgeorge   tty26   171.68.202.158  
starttask_id=41      service=shell

Wed Jun 25 04:07:02 1997        172.16.25.15    fgeorge   tty26   171.68.202.158  
stoptask_id=41       service=shell   elapsed_time=9

System Accounting

System accounting provides information about all system-level events (for example, when the system reboots or when accounting is turned on or off). The following accounting record is an example of a typical TACACS+ system accounting record server indicating that AAA accounting has been turned off: 

Wed Jun 25 03:55:32 1997        172.16.25.15    unknown unknown unknown start   task_id=25   
service=system  event=sys_acct  reason=reconfigure

Note   The precise format of accounting packets records may vary depending on your particular TACACS+ daemon.

The following accounting record is an example of a TACACS+ system accounting record indicating that AAA accounting has been turned on: 

Wed Jun 25 03:55:22 1997        172.16.25.15    unknown unknown unknown stop    task_id=23   
service=system  event=sys_acct  reason=reconfigure

Note   Cisco's implementation of RADIUS does not support system accounting.

Additional tasks for measuring system resources are covered in other chapters in the Cisco IOS software configuration guides. For example, IP accounting tasks are described in the "Configuring IP Services" chapter in the Network Protocols Configuration Guide, Part 1.

Command Accounting

Command accounting provides information about the EXEC shell commands for a specified privilege level that are being executed on a network access server. Each command accounting record includes a list of the commands executed for that privilege level, as well as the date and time each command was executed, and the user who executed it.

The following example shows the information contained in a TACACS+ command accounting record for privilege level 1: 

Wed Jun 25 03:46:47 1997        172.16.25.15    fgeorge   tty3    5622329430/4327528  stop     
task_id=3       service=shell   priv-lvl=1      cmd=show version <cr>

Wed Jun 25 03:46:58 1997        172.16.25.15    fgeorge   tty3    5622329430/4327528  stop     
task_id=4       service=shell   priv-lvl=1      cmd=show interfaces Ethernet 0 <cr>

Wed Jun 25 03:47:03 1997        172.16.25.15    fgeorge   tty3    5622329430/4327528  stop     
task_id=5       service=shell   priv-lvl=1      cmd=show ip route <cr>

The following example shows the information contained in a TACACS+ command accounting record for privilege level 15: 

Wed Jun 25 03:47:17 1997        172.16.25.15    fgeorge   tty3    5622329430/4327528  stop     
task_id=6       service=shell   priv-lvl=15     cmd=configure terminal <cr>

Wed Jun 25 03:47:21 1997        172.16.25.15    fgeorge   tty3    5622329430/4327528  stop     
task_id=7       service=shell   priv-lvl=15     cmd=interface Serial 0 <cr>

Wed Jun 25 03:47:29 1997        172.16.25.15    fgeorge   tty3    5622329430/4327528  stop     
task_id=8       service=shell   priv-lvl=15     cmd=ip address 1.1.1.1 255.255.255.0 <cr>

Note   Cisco's implementation of RADIUS does not support command accounting.

AAA Accounting Prerequisites

Before configuring AAA accounting, you must first complete these tasks:

Enable AAA on your network access server. For more information about the AAA security services and how to enable AAA, refer to the "AAA Overview" chapter.

Define the characteristics of your RADIUS or TACACS+ security server. For more information about defining RADIUS security server attributes, refer to the "Configuring RADIUS" chapter. For more information about defining TACACS+ security server attributes, refer to the "Configuring TACACS+" chapter.

AAA Accounting Configuration Task List

This section describes the following tasks:

Enable Accounting

Monitor Accounting

For accounting configuration examples using the commands in this chapter, refer to the "Accounting Configuration Examples" section located at the end of the this chapter.

Enable Accounting

The aaa accounting command enables you to create a record for any or all of the accounting functions monitored. To enable AAA accounting, perform the following task in global configuration mode:

Task
Command

Enable accounting.

aaa accounting {system | network | connection |
exec | command level} {start-stop | wait-start | stop-only} {tacacs+ | radius}


For minimal accounting, use the stop-only keyword, which instructs the specified authentication system (RADIUS or TACACS+) to send a stop record accounting notice at the end of the requested user process. For more accounting information, use the start-stop keyword to send a start accounting notice at the beginning of the requested event and a stop accounting notice at the end of the event. You can further control access and accounting by using the wait-start keyword, which ensures that the RADIUS or TACACS+ security server acknowledges the start notice before granting the user's process request.

Suppress Generation of Accounting Records for Null Username Sessions

When aaa accounting is activated, the Cisco IOS software issues accounting records for all users on the system, including users whose username string, because of protocol translation, is NULL. An example of this is users who come in on lines where the aaa authentication login method-list none command is applied. To prevent accounting records from being generated for sessions that do not have usernames associated with them, perform the following task in global configuration mode:

Task
Command

Prevent accounting records from being generated for users whose username string is NULL.

aaa accounting suppress null-username


Generate Interim Accounting Records

To enable periodic interim accounting records to be sent to the accounting server, perform the following task in global configuration mode:

Task
Command

Enable periodic interim accounting records to be sent to the accounting server.

aaa accounting update {newinfo | periodic number}


When the aaa accounting update command is activated, the Cisco IOS software issues interim accounting records for all users on the system. If the keyword newinfo is used, interim accounting records will be sent to the accounting server every time there is new accounting information to report. An example of this would be when IPCP completes IP address negotiation with the remote peer. The interim accounting record will include the negotiated IP address used by the remote peer.

When used with the keyword periodic, interim accounting records are sent periodically as defined by the argument number. The interim accounting record contains all of the accounting information recorded for that user up to the time the interim accounting record is sent.

Both of these keywords are mutually exclusive, meaning that whichever keyword is configured last takes precedence over the previous configuration. For example, if you configure aaa accounting update periodic, and then configure aaa accounting update newinfo, all users currently logged in will continue to generate periodic interim accounting records. All new users will generate accounting records based on the newinfo algorithm.

Caution   
Using the aaa accounting update periodic command can cause heavy congestion when many users are logged in to the network.

Monitor Accounting

No specific show command exists for either RADIUS or TACACS+ accounting. To obtain accounting records displaying information about users currently logged in, perform the following task in Privileged EXEC mode:

Task
Command

Step through all active sessions and print all the accounting records for the actively accounted functions.

show accounting


Accounting Attribute-Value Pairs

The network access server monitors the accounting functions defined in either TACACS+ attribute/value (AV) pairs or RADIUS attributes, depending on which security method you have implemented. For a list of supported RADIUS accounting attributes, refer to the "RADIUS Attributes" appendix in the Security Configuration Guide. For a list of supported TACACS+ accounting AV pairs, refer to the "TACACS+ AV Pairs" appendix in the Security Configuration Guide.

Accounting Configuration Example

In the following sample configuration, RADIUS-style accounting is used to track all usage of EXEC commands and network services, such as SLIP, PPP, and ARAP: 

aaa accounting exec start-stop radius

aaa accounting network start-stop radius

The show accounting command yields the following output for the above configuration: 

Active Accounted actions on tty0, User georgef Priv 1

 Task ID 2, EXEC Accounting record, 00:02:13 Elapsed

 task_id=2 service=shell 

 Task ID 3, Connection Accounting record, 00:02:07 Elapsed

 task_id=3 service=connection protocol=telnet address=172.21.14.90 cmd=synth 


Active Accounted actions on tty1, User rubble Priv 1

 Task ID 5, Network Accounting record, 00:00:52 Elapsed

 task_id=5 service=ppp protocol=ip address=10.0.0.98 


Active Accounted actions on tty10, User georgef Priv 1

 Task ID 4, EXEC Accounting record, 00:00:53 Elapsed

 task_id=4 service=shell


describes the fields contained in this example.

Table 9

Field
Description

Active Accounted actions on

Terminal line or interface name user with which the user logged in.

User

User's ID

Priv

User's privilege level.

Task ID

Unique identifier for each accounting session.

Accounting Record

Type of accounting session.

Elapsed

Length of time (hh:mm:ss) for this session type.

attribute=value

AV pairs associated with this accounting session.


Show Accounting Field Descriptions