Table Of Contents

Accounting Commands

aaa accounting

aaa accounting connection h323

aaa accounting delay-start

aaa accounting gigawords

aaa accounting nested

aaa accounting resource start-stop group

aaa accounting resource stop-failure group

aaa accounting send stop-record authentication failure

aaa accounting session-duration ntp-adjusted

aaa accounting suppress null-username

aaa accounting update

aaa dnis map accounting network

aaa session-id

aaa session-mib

accounting

accounting (gatekeeper)

ppp accounting

show aaa user

show accounting

Accounting Commands

---

This chapter describes the commands used to manage accounting on the network. Accounting management allows you to track individual and group usage of network resources. The authentication, authorization, and accounting (AAA) accounting feature enables you to track the services users are accessing as well as the amount of network resources they are consuming. When AAA accounting is activated, the network access server reports user activity to the TACACS+ or RADIUS security server (depending on which security method you have implemented) in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing or auditing.

For information on how to configure accounting using AAA, refer to the chapter "Configuring Accounting" in the Cisco IOS Security Configuration Guide. For configuration examples using the commands in this chapter, refer to the section "Accounting Configuration Examples" located at the end of the chapter "Configuring Accounting" in the Cisco IOS Security Configuration Guide.

Refer also to the IP accounting feature in the chapter "Configuring IP Services" of the
Cisco IOS IP Configuration Guide.

aaa accounting

To enable authentication, authorization, and accounting (AAA) accounting of requested services for billing or security purposes when you use RADIUS or TACACS+, use the aaa accounting command in global configuration mode. To disable AAA accounting, use the no form of this command.

aaa accounting {auth-proxy | system | network | exec | connection | commands level} {default | list-name} [vrf vrf-name] {start-stop | stop-only | none} [broadcast] group groupname

no aaa accounting {auth-proxy | system | network | exec | connection | commands level} {default | list-name} [vrf vrf-name] [broadcast] group groupname

Syntax Description

auth-proxy	Provides information about all authenticated-proxy user events.
system	Performs accounting for all system-level events not associated with users, such as reloads.
network	Runs accounting for all network-related service requests, including Serial Line Internet Protocol (SLIP), PPP, PPP Network Control Protocols (NCPs), and AppleTalk Remote Access Protocol (ARAP).
exec	Runs accounting for EXEC shell session. This keyword might return user profile information such as what is generated by the autocommand command.
connection	Provides information about all outbound conections made from the network access server, such as Telnet, local-area transport (LAT), TN3270, packet assembler and disassembler (PAD), and rlogin.
commands level	Runs accounting for all commands at the specified privilege level. Valid privilege level entries are integers from 0 through 15.
default	Uses the listed accounting methods that follow this argument as the default list of methods for accounting services.
list-name	Character string used to name the list of at least one of the accounting methods described in Table 8.
vrf vrf-name	(Optional) Specifies a Virtual Route Forwarding (VRF) configuration. Note VRF is used only with system accounting.
start-stop	Sends a "start" accounting notice at the beginning of a process and a "stop" accounting notice at the end of a process. The "start" accounting record is sent in the background. The requested user process begins regardless of whether the "start" accounting notice was received by the accounting server.
stop-only	Sends a "stop" accounting notice at the end of the requested user process.
none	Disables accounting services on this line or interface.
broadcast	(Optional) Enables sending accounting records to multiple AAA servers. Simultaneously sends accounting records to the first server in each group. If the first server is unavailable, fail over occurs using the backup servers defined within that group.
group group-name	At least one of the keywords described in Table 8.

Defaults

AAA accounting is disabled.

Command Modes

Global configuration

Command History

Release	Modification
10.3	This command was introduced.
12.0(5)T	Group server support was added.
12.1(1)T	The broadcast keyword was introduced on the Cisco AS5300 and Cisco AS5800 universal access servers.
12.1(5)T	The auth-proxy keyword was added.
12.2(1)DX	The vrf keyword and vrf-name argument were introduced on the Cisco 7200 series and Cisco 7401ASR.
12.2(2)DD	This command was integrated into Cisco IOS Release 12.2(2)DD.
12.2(4)B	This command was integrated into Cisco IOS Release 12.2(4)B.
12.2(13)T	This command was integrated into Cisco IOS Release 12.2(13)T.

Usage Guidelines

Use the aaa accounting command to enable accounting and to create named method lists that define specific accounting methods on a per-line or per-interface basis.

Table 8 contains descriptions of keywords for aaa accounting methods.

Table 8 aaa accounting Methods 

Keyword	Description
group radius	Uses the list of all RADIUS servers for authentication as defined by the aaa group server radius command.
group tacacs+	Uses the list of all TACACS+ servers for authentication as defined by the aaa group server tacacs+ command.
group group-name	Uses a subset of RADIUS or TACACS+ servers for accounting as defined by the server group group-name.

In Table 8, the group radius and group tacacs+ methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host and tacacs-server host commands to configure the host servers. Use the aaa group server radius and aaa group server tacacs+ commands to create a named group of servers.

Cisco IOS software supports the following two methods of accounting:

•RADIUS—The network access server reports user activity to the RADIUS security server in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server.

•TACACS+—The network access server reports user activity to the TACACS+ security server in the form of accounting records. Each accounting record contains accounting AV pairs and is stored on the security server.

Method lists for accounting define the way accounting will be performed. Named accounting method lists enable you to designate a particular security protocol to be used on specific lines or interfaces for particular types of accounting services. Create a list by entering the list-name and the method, where list-name is any character string used to name this list (excluding the names of methods, such as radius or tacacs+) and method identifies the methods to be tried in sequence as given.

If the aaa accounting command for a particular accounting type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines (where this accounting type applies) except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, then no accounting takes place.

Named accounting method lists are specific to the indicated type of accounting. Method list keywords are described in Table 9.

Table 9 aaa accounting Method List Keywords

Keyword	Description
auth-proxy	Creates a method list to provide accounting information about all authenticated hosts that use the authentication proxy service.
commands	Creates a method list to provide accounting information about specific, individual EXEC commands associated with a specific privilege level.
connection	Creates a method list to provide accounting information about all outbound connections made from the network access server.
exec	Creates a method list to provide accounting records about user EXEC terminal sessions on the network access server, including username, date, and start and stop times.
network	Creates a method list to provide accounting information for SLIP, PPP, NCPs, and ARAP sessions.
resource	Creates a method list to provide accounting records for calls that have passed user authentication or calls that failed to be authenticated.

---

Note System accounting does not use named accounting lists; you can define the default list only for system accounting.

---

For minimal accounting, include the stop-only keyword to send a "stop" record accounting notice at the end of the requested user process. For more accounting, you can include the start-stop keyword, so that RADIUS or TACACS+ sends a "start" accounting notice at the beginning of the requested process and a "stop" accounting notice at the end of the process. Accounting is stored only on the RADIUS or TACACS+ server. The none keyword disables accounting services for the specified line or interface.

To specify an accounting configuration for a particular virtual route forwarding (VRF), specify a default system accounting method list, and use the vrf keyword and vrf-name argument. System accounting does not have knowledge of VRF unless specified.

When AAA accounting is activated, the network access server monitors either RADIUS accounting attributes or TACACS+ AV pairs pertinent to the connection, depending on the security method you have implemented. The network access server reports these attributes as accounting records, which are then stored in an accounting log on the security server. For a list of supported RADIUS accounting attributes, refer to the appendix "RADIUS Attributes Overview" in the Cisco IOS Security Configuration Guide, Release 12.2. For a list of supported TACACS+ accounting AV pairs, refer to the appendix "TACACS+ Attribute-Value Pairs" in the Cisco IOS Security Configuration Guide, Release 12.2.

---

Note This command cannot be used with TACACS or extended TACACS.

---

Examples

The following example defines a default commands accounting method list, where accounting services are provided by a TACACS+ security server, set for privilege level 15 commands with a stop-only restriction.

aaa accounting commands 15 default stop-only group tacacs+

The following example defines a default auth-proxy accounting method list, where accounting services are provided by a TACACS+ security server with a start-stop restriction. The aaa accounting command activates authentication proxy accounting.

aaa new-model

aaa authentication login default group tacacs+

aaa authorization auth-proxy default group tacacs+

aaa accounting auth-proxy default start-stop group tacacs+

The following example defines a default system accounting method list, where accounting services are provided by RADIUS security server "sg_water" with a start-stop restriction. The aaa accounting command specifies accounting for vrf "water."

aaa accounting system default vrf water start-stop group sg_water

Related Commands

Command	Description
aaa authentication ppp	Specifies one or more AAA authentication methods for use on serial interfaces running PPP.
aaa authorization	Sets parameters that restrict user access to a network.
aaa group server radius	Groups different RADIUS server hosts into distinct lists and distinct methods.
aaa group server tacacs	Groups different server hosts into distinct lists and distinct methods.
aaa new-model	Enables the AAA access control model.
radius-server host	Specifies a RADIUS server host.
tacacs-server host	Specifies a TACACS+ server host.

aaa accounting connection h323

To define the accounting method list H.323with RADIUS as a method with either stop-only or start-stop accounting options, use the aaa accounting connection h323 command in global configuration mode. To disable the use of this accounting method list, use the no form of this command.

aaa accounting connection h323 {stop-only | start-stop | none} [broadcast] group groupname

no aaa accounting connection h323 {stop-only | start-stop | none} [broadcast] group groupname

Syntax Description

stop-only	Sends a "stop" accounting notice at the end of the requested user process.
start-stop	Sends a "start" accounting notice at the beginning of a process and a "stop" accounting notice at the end of a process. The "start" accounting record is sent in the background. The requested user process begins regardless of whether the "start" accounting notice was received by the accounting server.
none	Disables accounting services on this line or interface.
broadcast	(Optional) Enables sending accounting records to multiple AAA servers. Simultaneously sends accounting records to the first server in each group. If the first server is unavailable, failover occurs using the backup servers defined within that group.
group groupname	Specifies the server group to be used for accounting services. The following are valid server group names: •string: Character string used to name a server group. •radius: Uses list of all RADIUS hosts. •tacacs+: Uses list of all TACACS+ hosts.

Defaults

No accounting method list

Command Modes

Global configuration

Command History

Release	Modification
11.3(6)NA2	This command was introduced.

Usage Guidelines

This command creates a method list called h323 and is applied by default to all voice interfaces if the gw-accounting h323 command is also activated.

Examples

The following example enables authentication, authorization, and accounting (AAA) services, gateway accounting services, and defines a connection accounting method list (h323). The h323 accounting method lists specifies that RADIUS is the security protocol that will provide the accounting services, and that the RADIUS service will track start-stop records.

aaa new model

gw-accounting h323

aaa accounting connection h323 start-stop radius

aaa accounting delay-start

To delay generation of accounting "start" records until the user IP address is established, use the aaa accounting delay-start command in global configuration mode. To disable this functionality, use the no form of this command.

aaa accounting delay-start [vrf vrf-name]

no aaa accounting delay-start [vrf vrf-name]

Syntax Description

vrf vrf-name

(Optional) Virtual Route Forwarding (VRF) configuration.

Defaults

Accounting records are not delayed.

Command Modes

Global configuration

Command History

Release	Modification
12.1	This command was introduced.
12.2(1)DX	The vrf keyword and vrf-name argument were introduced on the Cisco 7200 series and Cisco 7401ASR.
12.2(2)DD	This command was integrated into Cisco IOS Release 12.2(2)DD.
12.2(4)B	This command was integrated into Cisco IOS Release 12.2(4)B.
12.2(13)T	This command was integrated into Cisco IOS Release 12.2(13)T.

Usage Guidelines

Use the aaa accounting delay-start command to delay generation of accounting "start" records until the IP address of the user has been established. Use the vrf vrf-name keyword and argument to delay accounting "start" records per Virtual Private Network (VPN) routing and forwarding (VRF) configuration.

Examples

The following example shows how to delay accounting "start" records until the IP address of the user is established:

aaa new-model

aaa authentication ppp default radius

aaa accounting network default start-stop radius

aaa accounting delay-start

radius-server host 172.16.0.0 non-standard

radius-server key rad123

Related Commands

Command	Description
aaa accounting	Enables AAA accounting of requested services for billing or security purposes when you use RADIUS or TACACS+.
aaa authentication ppp	Specifies one or more AAA authentication methods for use on serial interfaces running PPP.
aaa authorization	Sets parameters that restrict user access to a network.
aaa new-model	Enables the AAA access control model.
radius-server host	Specifies a RADIUS server host.
tacacs-server host	Specifies a TACACS+ server host.

aaa accounting gigawords

To enable authentication, authorization, and accounting (AAA) 64-bit, high-capacity counters, use the aaa accounting gigawords command in global configuration mode. To disable the counters, use the no form of this command. (Note that gigaword support is automatically configured unless you unconfigure it using the no form of the command.)

aaa accounting gigawords

no aaa accounting gigawords

Syntax Description

This command has no arguments or keywords.

Defaults

If this command is not configured, the 64-bit, high-capacity counters that support RADIUS attributes 52 and 53 are automatically enabled.

Command Modes

Global configuration

Command History

Release	Modification
12.2(13.7)T	This command was introduced.

Usage Guidelines

The AAA high-capacity counter process takes approximately 8 percent CPU memory for 24,000 (24 K) sessions running under steady state.

If you have entered the no form of this command to turn off the 64-bit counters and you want to reenable them, you will need to enter the aaa accounting gigawords command. Also, once you have entered the no form of the command, it takes a reload of the router to actually disable the use of the 64-bit counters.

---

Note The aaa accounting gigawords command does not show up in the running configuration unless the no form of the command is used in the configuration.

---

Examples

The following example shows that the AAA 64-bit counters have been disabled:

no aaa accounting gigawords

aaa accounting nested

To specify that NETWORK records be generated, or nested, within EXEC "start" and "stop" records for PPP users who start EXEC terminal sessions, use the aaa accounting nested command in global configuration mode. To allow the sending of records for users with a NULL username, use the no form of this command.

aaa accounting nested

no aaa accounting nested

Syntax Description

This command has no arguments or keywords.

Defaults

Disabled

Command Modes

Global configuration

Command History

Release	Modification
12.0(5)T	This command was introduced.

Usage Guidelines

Use this command when you want to specify that NETWORK records be nested within EXEC "start" and "stop" records, such as for PPP users who start EXEC terminal sessions. In some cases, such as billing customers for specific services, is can be desirable to keep NETWORK "start" and "stop" records together, essentially nesting them within the framework of the EXEC "start" and "stop" messages. For example, a user dialing in using PPP can create the following records: EXEC-start, NETWORK-start, EXEC-stop, NETWORK-stop. By nesting the accounting records, NETWORK-stop records follow NETWORK-start messages: EXEC-start, NETWORK-start, NETWORK-stop, EXEC-stop.

Examples

The following example enables nesting of NETWORK accounting records for user sessions:

aaa accounting nested

aaa accounting resource start-stop group

To enable full resource accounting, which will generate both a "start" record at call setup and a "stop" record at call termination, use the aaa accounting resource start-stop group command in global configuration mode. To disable full resource accounting, use the no form of this command.

aaa accounting resource method-list start-stop [broadcast] group groupname

no aaa accounting resource method-list start-stop [broadcast] group groupname

Syntax Description

method-list	Method used for accounting services. Use one of the following options: •default: Uses the listed accounting methods that follow this argument as the default list of methods for accounting services. •string: Character string used to name the list of accounting methods.
broadcast	(Optional) Enables sending accounting records to multiple AAA servers. Simultaneously sends accounting records to the first server in each group. If the first server is unavailable, failover occurs using the backup servers defined within that group.
group groupname	Specifies the server group to be used for accounting services. The following are valid server group names: •string: Character string used to name a server group. •radius: Uses list of all RADIUS hosts. •tacacs+: Uses list of all TACACS+ hosts.

Defaults

No default behavior or values.

Command Modes

Global configuration

Command History

Release	Modification
12.1(3)T	This command was introduced.

Usage Guidelines

Use the aaa accounting resource start-stop group command to send a "start" record at each call setup followed with a corresponding "stop" record at the call disconnect. There is a separate "call setup-call disconnect "start-stop" accounting record tracking the progress of the resource connection to the device, and a separate "user authentication start-stop accounting" record tracking the user management progress. These two sets of accounting records are interlinked by using a unique session ID for the call.

You may want to use this command to manage and monitor wholesale customers from one source of data reporting, such as accounting records.

---

Note Sending "start-stop" records for resource allocation along with user "start-stop" records during user authentication can lead to serious performance issues and is discouraged unless absolutely required.

---

All existing AAA accounting method list and server group options are made available to this command.

Examples

The following example shows how to configure resource accounting for "start-stop" records:

aaa new-model

aaa authentication login AOL group radius local

aaa authentication ppp default group radius local

aaa authorization exec AOL group radius if-authenticated

aaa authorization network default group radius if-authenticated

aaa accounting exec default start-stop group radius

aaa accounting network default start-stop group radius

aaa accounting resource default start-stop group radius

Related Commands

Command	Description
aaa accounting start-stop failure	Enables resource failure stop accounting support, which will only generate a stop record at any point prior to user authentication if a call is terminated.

aaa accounting resource stop-failure group

To enable resource failure stop accounting support, which will generate a "stop" record at any point prior to user authentication only if a call is terminated, use the aaa accounting resource stop-failure group command in global configuration mode. To disable resource failure stop accounting, use the no form of this command.

aaa accounting resource method-list stop-failure [broadcast] group groupname

no aaa accounting resource method-list stop-failure [broadcast] group groupname

Syntax Description

method-list	Method used for accounting services. Use one of the following options: •default: Uses the listed accounting methods that follow this argument as the default list of methods for accounting services. •string: Character string used to name the list of accounting methods.
broadcast	(Optional) Enables sending accounting records to multiple AAA servers. Simultaneously sends accounting records to the first server in each group. If the first server is unavailable, failover occurs using the backup servers defined within that group.
group groupname	Group to be used for accounting services. Use one of the following options: •string: Character string used to name a server group. •radius: Uses list of all RADIUS hosts. •tacacs+: Uses list of all TACACS+ hosts.

Defaults

No default behavior or values.

Command Modes

Global configuration

Command History

Release	Modification
12.1(3)T	This command was introduced.

Usage Guidelines

Use the aaa accounting resource stop-failure group command to generate a "stop" record for any calls that do not reach user authentication; this function creates "stop" accounting records for the moment of call setup. All calls that pass user authentication will behave as before; that is, no additional accounting records will be seen.

All existing authentication, authorization, and accounting (AAA) accounting method list and server group options are made available to this command.

Examples

The following example shows how to configure "stop" accounting records from the moment of call setup:

aaa new-model

aaa authentication login AOL group radius local

aaa authentication ppp default group radius local

aaa authorization exec AOL group radius if-authenticated

aaa authorization network default group radius if-authenticated

aaa accounting exec default start-stop group radius

aaa accounting network default start-stop group radius

aaa accounting resource default stop-failure group radius

Related Commands

Command	Description
aaa accounting resource start-stop group	Enables full resource accounting, which will generate both a "start" record at call setup and a "stop" record at call termination.

aaa accounting send stop-record authentication failure

To generate accounting "stop" records for users who fail to authenticate at login or during session negotiation, use the aaa accounting send stop-record authentication failure command in global configuration mode. To stop generating records for users who fail to authenticate at login or during session negotiation, use the no form of this command.

aaa accounting send stop-record authentication failure [vrf vrf-name]

no aaa accounting send stop-record authentication failure

Syntax Description

vrf vrf-name

(Optional) Virtual Route Forwarding (VRF) configuration.

Defaults

The "stop" records are not generated.

Command Modes

Global configuration

Command History

Release	Modification
12.0(5)T	This command was introduced.
12.2(1)DX	The vrf keyword and vrf-name argument were introduced on the Cisco 7200 series and Cisco 7401ASR.
12.2(2)DD	This command was integrated into Cisco IOS Release 12.2(2)DD.
12.2(4)B	This command was integrated into Cisco IOS Release 12.2(4)B.
12.2(13)T	This command was integrated into Cisco IOS Release 12.2(13)T.

Usage Guidelines

Use this command to generate accounting "stop" records for users who fail to authenticate at login or during session negotiation. When the aaa accounting command is activated, by default the Cisco IOS software does not generate accounting records for system users who fail login authentication or who succeed in login authentication but fail PPP negotiation for some reason.

Use the vrf vrf-name keyword and argument to generate accounting "stop" records per Virtual Private Network (VPN) routing and forwarding (VRF) configuration.

Examples

The following example shows how to generate "stop" records for users who fail to authenticate at login or during session negotiation:

aaa accounting send stop-record authentication failure

aaa accounting session-duration ntp-adjusted

To calculate RADIUS attribute 46, Acct-Sess-Time, on the basis of the Network Time Protocol (NTP) clock time, use the aaa accounting session-duration ntp-adjusted command in global configuration mode. To disable the calculation that was configured on the basis of the NTP clock time, use the no form of this command.

aaa accounting session-duration ntp-adjusted

no aaa accounting session-duration ntp-adjusted

Syntax Description

This command has no arguments or keywords.

Defaults

If this command is not configured, RADIUS attribute 46 is calculated on the basis of the 64-bit monotonically increasing counter, which is not NTP adjusted.

Command Modes

Global configuration

Command History

Release	Modification
12.2(4)T	This command was introduced.

Usage Guidelines

If this command is not configured, RADIUS attribute 46 can skew the session time by as much as 5 to 7 seconds for calls that have a duration of more than 24 hours. However, you may not want to configure the command for short-lived calls or if your device is up for only a short time because of the convergence time required if the session time is configured on the basis of the NTP clock time.

For RADIUS attribute 46 to reflect the NTP-adjusted time, you must configure the ntp server command as well as the aaa accounting session-duration ntp-adjusted command.

Examples

The following example shows that the attribute 46 session time is to be calculated on the basis of the NTP clock time:

aaa new-model

aaa authentication ppp default group radius

aaa accounting session-time ntp-adjusted

aaa accounting network default start-stop group radius

Related Commands

Command	Description
ntp server	Allows the software clock to be synchronized by a NTP time server.

aaa accounting suppress null-username

To prevent the Cisco IOS software from sending accounting records for users whose username string is NULL, use the aaa accounting suppress null-username command in global configuration mode. To allow sending records for users with a NULL username, use the no form of this command.

aaa accounting suppress null-username

no aaa accounting suppress null-username

Syntax Description

This command has no arguments or keywords.

Defaults

Disabled

Command Modes

Global configuration

Command History

Release	Modification
11.2	This command was introduced.

Usage Guidelines

When aaa accounting is activated, the Cisco IOS software issues accounting records for all users on the system, including users whose username string, because of protocol translation, is NULL. This command prevents accounting records from being generated for those users who do not have usernames associated with them.

Examples

The following example supresses accounting records for users who do not have usernames associated with them:

aaa accounting suppress null-username

Related Commands

Command	Description
aaa accounting	Enables AAA accounting of requested services for billing or security purposes.

aaa accounting update

To enable periodic interim accounting records to be sent to the accounting server, use the aaa accounting update command in global configuration mode. To disable interim accounting updates, use the no form of this command.

aaa accounting update [newinfo] [periodic number [jitter {maximum max-value}]]

no aaa accounting update

Syntax Description

newinfo	(Optional) An interim accounting record is sent to the accounting server whenever there is new accounting information to report relating to the user in question.
periodic	(Optional) An interim accounting record is sent to the accounting server periodically, as defined by the argument number.
number	(Optional) Integer specifying number of minutes.
jitter	(Optional) Allows you to set the maximum jitter value in periodic accounting.
maximum max-value	(Required) The number of seconds to set for maximum jitter in periodic accounting. The value 0 turns off jitter. Jitter is set to 300 seconds (5 minutes) by default.

Defaults

Disabled

Command Modes

Global configuration

Command History

Release	Modification
11.3	This command was introduced.
12.2(13)T	Introduced support for generation of an additional updated interim accounting record that contains all available attributes when a call leg is connected.
12.2(15)T11	The jitter keyword was added.

Usage Guidelines

•When the aaa accounting update command is activated, the Cisco IOS software issues interim accounting records for all users on the system. If the newinfo keyword is used, interim accounting records will be sent to the accounting server every time there is new accounting information to report. An example of this would be when IP Control Protocol (IPCP) completes IP address negotiation with the remote peer. The interim accounting record will include the negotiated IP address used by the remote peer.

•When the gw-accounting aaa command and the aaa accounting update newinfo command and keyword are activated, Cisco IOS software generates and sends an additional updated interim accounting record to the accounting server when a call leg is connected. All attributes (for example, h323-connect-time and backward-call-indicators) available at the time of call connection are sent through this interim updated accounting record.

•When used with the periodic keyword, interim accounting records are sent periodically as defined by the argument number. The interim accounting record contains all of the accounting information recorded for that user up to the time the accounting record is sent.

•When using both the newinfo and periodic keywords, interim accounting records are sent to the accounting server every time there is new accounting information to report, and accounting records are sent to the accounting server periodically as defined by the argument number. For example, if you configure the aaa accounting update newinfo periodic number command, all users currently logged in will continue to generate periodic interim accounting records while new users will generate accounting records based on the newinfo algorithm.

•Vendor-specific attributes (VSAs) such as h323-connect-time and backward call indicator (BCI) are transmitted in the interim update RADIUS message when the aaa accounting update newinfo command and keyword are enabled.

•Jitter is used to provide an interval of time between records, so that the AAA server does not get overwhelmed by a constant stream of records. If certain applications require that periodic records be sent a exact intervals, you should disable jitter by setting it to 0.

---

Caution Using the aaa accounting update periodic command and keyword can cause heavy congestion when many users are logged into the network.

---

Examples

The following example sends PPP accounting records to a remote RADIUS server. When IPCP completes negotiation, this command sends an interim accounting record to the RADIUS server that includes the negotiated IP address for this user; it also sends periodic interim accounting records to the RADIUS server at 30-minute intervals.

aaa accounting network default start-stop group radius

aaa accounting update newinfo periodic 30

The following example sends periodic interim accounting records to the RADIUS server at 30-minute intervals and disables jitter:

aaa accounting update newinfo periodic 30 jitter maximum 0

Related Commands

Command	Description
aaa accounting	Enables AAA accounting of requested services for billing or security purposes.
gw-accounting aaa	Enables VoIP gateway accounting through the AAA system.

aaa dnis map accounting network

To map a Dialed Number Information Service (DNIS) number to a particular authentication, authorization, and accounting (AAA) server group that will be used for AAA accounting, use the aaa dnis map accounting network command in global configuration mode. To remove DNIS mapping from the named server group, use the no form of this command.

aaa dnis map dnis-number accounting network [start-stop | stop-only | none] [broadcast] group groupname

no aaa dnis map dnis-number accounting network

Syntax Description

dnis-number	Number of the DNIS.
start-stop	(Optional) Indicates that the defined security server group will send a "start accounting" notice at the beginning of a process and a "stop accounting" notice at the end of a process. The "start accounting" record is sent in the background. (The requested user process begins regardless of whether the "start accounting" notice was received by the accounting server.)
stop-only	(Optional) Indicates that the defined security server group will send a "stop accounting" notice at the end of the requested user process.
none	(Optional) Indicates that the defined security server group will not send accounting notices.
broadcast	(Optional) Enables sending accounting records to multiple AAA servers. Simultaneously sends accounting records to the first server in each group. If the first server is unavailable, failover occurs using the backup servers defined within that group.
group groupname	At least one of the keywords described in Table 10.

Defaults

This command is disabled by default.

Command Modes

Global configuration

Command History

Release	Modification
12.0(7)T	This command was introduced.
12.1(1)T	•The optional broadcast keyword was added. •The ability to specify multiple server groups was added. •To accommodate multiple server groups, the name of the command was changed from aaa dnis map accounting network group to aaa dnis map accounting network.

Usage Guidelines

This command lets you assign a DNIS number to a particular AAA server group so that the server group can process accounting requests for users dialing in to the network using that particular DNIS. To use this command, you must first enable AAA, define an AAA server group, and enable DNIS mapping.

Table 10 contains descriptions of accounting method keywords.

Table 10 AAA Accounting Methods 

Keyword	Description
group radius	Uses the list of all RADIUS servers for authentication as defined by the aaa group server radius command.
group tacacs+	Uses the list of all TACACS+ servers for authentication as defined by the aaa group server tacacs+ command.
group group-name	Uses a subset of RADIUS or TACACS+ servers for accounting as defined by the server group group-name.

In Table 10, the group radius and group tacacs+ methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host and tacacs+-server host commands to configure the host servers. Use the aaa group server radius and aaa group server tacacs+ commands to create a named group of servers.

Examples

The following example maps DNIS number 7777 to the RADIUS server group called group1. Server group group1 will use RADIUS server 172.30.0.0 for accounting requests for users dialing in with DNIS 7777.

aaa new-model

radius-server host 172.30.0.0 acct-port 1646 key cisco1

aaa group server radius group1

 server 172.30.0.0

aaa dnis map enable

aaa dnis map 7777 accounting network group group1

Related Commands

Command	Description
aaa dnis map authentication ppp group	Maps a DNIS number to a particular authentication server group.
aaa dnis map enable	Enables AAA server selection based on DNIS.
aaa group server	Groups different server hosts into distinct lists and distinct methods.
aaa new-model	Enables the AAA access control model.
radius-server host	Specifies a RADIUS server host.

aaa session-id

To specify whether the same session ID will be used for each authentication, authorization, and accounting (AAA) accounting service type within a call or whether a different session ID will be assigned to each accounting service type, use the aaa session-id command in global configuration mode. To restore the default behavior after the unique keyword is enabled, use the no form of this command.

aaa session-id [common | unique]

no aaa session-id [unique]

Syntax Description

common	(Optional) Ensures that all session identification (ID) information that is sent out for a given call will be made identical. The default behavior is common.
unique	(Optional) Ensures that only the corresponding service access-requests and accounting-requests will maintain a common session ID. Accounting-requests for each service will have a different session ID.

Defaults

The common keyword is enabled.

Command Modes

Global configuration

Command History

Release	Modification
12.2(4)B	This command was introduced.
12.2(8)T	This command was integrated into Cisco IOS Release 12.2(8)T.

Usage Guidelines

The common keyword behavior allows the first session ID request of the call to be stored in a common database; all proceeding session ID requests will retrieve the value of the first session ID. Because a common session ID is the default behavior, this functionality is written to the system configuration after the aaa new-model command is configured.

---

Note The router configuration will always have either the aaa session-id common or the aaa session-id unique command enabled; it is not possible to have neither of the two enabled. Thus, the no aaa session-id unique command will revert to the default functionality, but the no aaa session-id common command will not have any effect because it is the default functionality.

---

The unique keyword behavior assigns a different session ID for each accounting type (Auth-Proxy, Exec, Network, Command, System, Connection, and Resource) during a call. To specify this behavior, the unique keyword must be specified. The session ID may be included in RADIUS access requests by configuring the radius-server attribute 44 include-in-access-req command. The session ID in the access-request will be the same as the session ID in the accounting request for the same service; all other services will provide unique session IDs for the same call.

Examples

The following example shows how to configure unique session IDs:

aaa new-model

aaa authentication ppp default group radius

radius-server host 10.100.1.34

radius-server attribute 44 include-in-access-req

aaa session-id unique

Related Commands

Command	Description
aaa new model	Enables AAA.
radius-server attribute 44 include-in-access-req	Sends RADIUS attribute 44 (Accounting Session ID) in access request packets before user authentication (including requests for preauthentication).

aaa session-mib

To enable disconnect by using Simple Network Management Protocol (SNMP), use the aaa session-mib global configuration mode command. To disable this function, use the no form of this command.

aaa session-mib disconnect

no aaa session-mib disconnect

Syntax Description

disconnect

Enables authentication, authorization, and accounting (AAA) session MIB disconnect.

Defaults

No default behavior or values.

Command Modes

Global configuration

Command History

Release	Modification
12.1(3)T	This command was introduced.

Usage Guidelines

Use the aaa session-mib command to terminate authenticated client connections using SNMP.

You must enable the disconnect keyword with this command. Otherwise, the network management station cannot perform set operations and disconnect users; it can only poll the table.

Examples

The following example shows how to enable a AAA session MIB to disconnect authenticated clients using SNMP:

aaa session-mib disconnect

accounting

To enable authentication, authorization, and accounting (AAA) accounting services to a specific line or group of lines, use the accounting command in line configuration mode. To disable AAA accounting services, use the no form of this command.

accounting {arap | commands level | connection | exec} [default | list-name]

no accounting {arap | commands level | connection | exec} [default | list-name]

Syntax Description

arap	Enables accounting on lines configured for AppleTalk Remote Access Protocol (ARAP).
commands level	Enables accounting on the selected lines for all commands at the specified privilege level. Valid privilege level entries are 0 through 15.
connection	Enables both CHAP and PAP, and performs PAP authentication before CHAP.
exec	Enables accounting for all system-level events not associated with users, such as reloads on the selected lines.
default	(Optional) The name of the default method list, created with the aaa accounting command.
list-name	(Optional) Specifies the name of a list of accounting methods to use. If no list name is specified, the system uses the default. The list is created with the aaa accounting command.

Defaults

Accounting is disabled.

Command Modes

Line configuration

Command History

Release	Modification
11.3 T	This command was introduced.

Usage Guidelines

After you enable the aaa accounting command and define a named accounting method list (or use the default method list) for a particular type of accounting, you must apply the defined lists to the appropriate lines for accounting services to take place. Use the accounting command to apply the specified method lists (or if none is specified, the default method list) to the selected line or group of lines.

Examples

The following example enables command accounting services (for level 15) using the accounting method list named charlie on line 10:

line 10

 accounting commands 15 charlie

Related Commands

Command	Description
aaa accounting	Enables AAA accounting of requested services for billing or security purposes.

accounting (gatekeeper)

To enable accounting services on the gatekeeper, use the accounting command in gatekeeper configuration mode. To disable accounting services, use the no form of this command.

accounting [vsa]

no accounting [vsa]

Syntax Description

vsa	(Optional) Configures the vendor-specific attribute (VSA) method of accounting.

Defaults

Accounting is disabled.

Command Modes

Gatekeeper configuration

Command History

Release	Modification
11.3(2)NA	This command was introduced.
12.0(3)T	This command was integrated into Cisco IOS Release 12.0(3)T.
12.1(5)XM	The vsa keyword was added.
12.2(2)T	The vsa keyword was integrated into Cisco IOS Release 12.2(2)T.
12.2(2)XB1	This command was implemented on the Cisco AS5850 universal gateway.

Usage Guidelines

Specify a RADIUS server before using the accounting command.

There are three different methods of accounting. The H.323 method sends the call detail record (CDR) to the RADIUS server, the syslog method uses the system logging facility to record the CDRs, and the VSA method collects VSAs.

Examples

The following example enables the gateway to report user activity to the RADIUS server in the form of connection accounting records:

aaa accounting connection start-stop group radius

gatekeeper

 accounting

The following example shows how to enable VSA accounting:

aaa accounting connection start-stop group radius

gatekeeper

 accounting exec vsa

Related Commands

Command	Description
aaa accounting	Enables AAA accounting of requested services for billing or security purposes.

ppp accounting

To enable authentication, authorization, and accounting (AAA) accounting services on the selected interface, use the ppp accounting command in interface configuration mode. To disable AAA accounting services, use the no form of this command.

ppp accounting default

no ppp accounting

Syntax Description

default

The name of the method list is created with the aaa accounting command.

Defaults

Accounting is disabled.

Command Modes

Interface configuration

Command History

Release	Modification
11.3 T	This command was introduced.

Usage Guidelines

After you enable the aaa accounting command and define a named accounting method list (or use the default method list), you must apply the defined lists to the appropriate interfaces for accounting services to take place. Use the ppp accounting command to apply the specified method lists (or if none is specified, the default method list) to the selected interface.

Examples

The following example enables accounting on asynchronous interface 4 and uses the accounting method list named charlie:

interface async 4

 encapsulation ppp

 ppp accounting charlie

Related Commands

Command	Description
aaa accounting	Enables AAA accounting of requested services for billing or security purposes.

show aaa user

To display attributes related to an authentication, authorization, and accounting (AAA) session, use the show aaa user command in privileged EXEC mode.

show aaa user {all | unique id}

Syntax Description

all	Displays information about all users for which AAA currently has knowledge.
unique id	Displays information for only this user.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.2(4)T	This command was introduced.

Usage Guidelines

When a user logs into a Cisco router and uses AAA, a unique ID is assigned to the session. Throughout the life of the session, various attributes that are related to the session are collected and stored internally within a AAA database. These attributes can include the IP address of the user, the protocol being used to access the router (such as PPP or Serial Line Internet Protocol [SLIP]), the speed of the connection, and the number of packets or bytes that are received or transmitted.

The output of this command provides a snapshot of various subdatabases that are associated with a AAA unique ID. Some of the more important ones are listed in Table 11.

The output also shows various AAA call events that are associated with a particular session. For example, when a session comes up, the events generally recorded are CALL START, NET UP, and IP Control Protocol UP (IPCP UP).

In addition, the output provides a snapshot of the dynamic attributes that are associated with a particular session. (Dynamic attributes are those that keep changing values throughout the life of the session.) Some of the more important ones are listed in Table 11.

The unique ID of a session can be obtained from the output of the show aaa sessions command.

---

Note This command does not provide information for all users who are logged into a device, but for only those who have been authenticated or authorized using AAA or for only those whose sessions are being accounted for by the AAA module.

---

---

Note Using the all keyword can produce a large amount of output, depending on the number of users who are logged into the device at any given time.

---

Examples

The following example shows that information is requested for all users:

Router# show aaa user all

The following example shows that information is requested for user 5:

Router# show aaa user 5

The following is sample output from the show aaa user command. The session information displayed is for a PPP over Ethernet over Ethernet (PPPoEoE) session.

Router# show aaa user 3

Load for five secs: 0%/0%; one minute: 0%; five minutes: 0%

Time source is hardware calendar, *20:32:49.199 PST Wed Dec 17 

2003

  Unique id 3 is currently in use.

  Accounting:

    log=0x20C201

    Events recorded :

      CALL START

      NET UP

      IPCP_PASS

      INTERIM START

      VPDN NET UP

  update method(s) :

    NONE

  update interval = 0

  Outstanding Stop Records : 0

  Dynamic attribute list:

    63CCF138 0 00000001 connect-progress(30) 4 LAN Ses Up

    63CCF14C 0 00000001 pre-session-time(239) 4 3(3)

    63CCF160 0 00000001 nas-tx-speed(337) 4 102400000(61A8000)

    63CCF174 0 00000001 nas-rx-speed(33) 4 102400000(61A8000)

    63CCF188 0 00000001 elapsed_time(296) 4 2205(89D)

    63CCF19C 0 00000001 bytes_in(97) 4 6072(17B8)

    63CCF1B0 0 00000001 bytes_out(223) 4 6072(17B8)

    63CCF1C4 0 00000001 pre-bytes-in(235) 4 86(56)

    63CCF1D8 0 00000001 pre-bytes-out(236) 4 90(5A)

    63CCF1EC 0 00000001 paks_in(98) 4 434(1B2)

    63CCF244 0 00000001 paks_out(224) 4 434(1B2)

    63CCF258 0 00000001 pre-paks-in(237) 4 7(7)

    63CCF26C 0 00000001 pre-paks-out(238) 4 9(9)

  No data for type EXEC

  No data for type CONN

  NET: Username=peer1

    Session Id=00000003 Unique Id=00000003

    Start Sent=1 Stop Only=N

    stop_has_been_sent=N

    Method List=63B4A10C : Name = default

    Attribute list:

    63CCF138 0 00000001 session-id(293) 4 3(3)

    63CCF14C 0 00000001 Framed-Protocol(62) 4 PPP

    63CCF160 0 00000001 protocol(241) 4 ip

    63CCF174 0 00000001 addr(5) 4 70.0.0.1

  No data for type CMD

  No data for type SYSTEM

  No data for type RM CALL

  No data for type RM VPDN

  No data for type AUTH PROXY

  No data for type IPSEC-TUNNEL

  No data for type RESOURCE

  No data for type 10

  No data for type CALL

Debg: No data available

Radi: 641AACAC

Interface:

  TTY Num = -1

  Stop Received = 0

  Byte/Packet Counts till Call Start:

    Start Bytes In = 106      Start Bytes Out = 168      

    Start Paks    In = 3      Start Paks  Out = 4          

  Byte/Packet Counts till Service Up:

    Pre Bytes In = 192      Pre Bytes Out = 258      

    Pre Paks  In = 10      Pre Paks  Out = 13      

  Cumulative Byte/Packet Counts :

    Bytes In = 6264      Bytes Out = 6330      

    Paks  In = 444      Paks  Out = 447      

  StartTime = 19:56:01 PST Dec 17 2003

  AuthenTime = 19:56:04 PST Dec 17 2003

  Component = PPoE

Authen: service=PPP type=CHAP method=RADIUS

Kerb: No data available

Meth: No data available

Preauth: No Preauth data.

General:

  Unique Id = 00000003

  Session Id = 00000003

  Attribute List:

    63CCF180 0 00000001 port-type(156) 4 PPP over Ethernet

    63CCF194 0 00000009 interface(152) 7 0/0/0/0

PerU: No data available

Table 11 lists the significant fields shown in the display.

Table 11 show aaa user Field Descriptions

Field	Description
EXEC	Exec-Accounting database
NET	Network Accounting database
CMD	Command Accounting database
Pre Bytes In	Bytes that were received before the call was authenticated
Pre Bytes Out	Bytes that were transmitted before the call was authenticated
Pre Paks In	Packets that were received before the call was authenticated
Pre Paks Out	Packets that were transmitted before the call was authenticated
Bytes In	Bytes that were received after the call was authenticated
Bytes Out	Bytes that were transmitted after the call was authenticated
Paks In	Packets that were received after the call was authenticated
Paks Out	Packets that were transmitted after the call was authenticated
Authen	Authentication database
General	General database
PerU	Per-User database

Related Commands

Command	Description
show aaa sessions	Displays information about AAA sessions as seen in the AAA Session MIB.

show accounting

To step through all active sessions and to print all the accounting records for actively accounted functions, use the show accounting command in privileged EXEC mode.

show accounting

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
11.1	This command was introduced.
12.2(4)T	This command was replaced by the show aaa user command.

Usage Guidelines

The show accounting command allows you to display the active accountable events on the network. It provides system administrators with a quick look at what is going on, and it also can help collect information in the event of a data loss on the accounting server.

The show accounting command displays additional data on the internal state of authentication, authorization, and accounting (AAA) if debug aaa accounting is activated.

Examples

The following is sample output from the show accounting command:

Router# show accounting

Active Accounted actions on Interface Serial0:19, User jdoe Priv 1

 Task ID 15, Network Accounting record, 00:00:18 Elapsed

 task_id=15 timezone=PDT service=ppp mlp-links-max=4 mlp-links-current=4

protocol=ip addr=209.165.200.225 mlp-sess-id=1 

Active Accounted actions on Interface Serial0:20, User jdoe Priv 1

 Task ID 13, Network Accounting record, 00:00:49 Elapsed

 task_id=13 timezone=PDT service=ppp mlp-links-max=4 mlp-links-current=4

protocol=ip addr=209.165.200.225 mlp-sess-id=1 

Active Accounted actions on Interface Serial0:21, User jdoe Priv 1

 Task ID 11, Network Accounting record, 00:01:19 Elapsed

 task_id=11 timezone=PDT service=ppp mlp-links-max=4 mlp-links-current=4

protocol=ip addr=209.165.200.225 mlp-sess-id=1 

Active Accounted actions on Interface Serial0:22, User jdoe Priv 1

 Task ID 9, Network Accounting record, 00:01:20 Elapsed

 task_id=9 timezone=PDT service=ppp mlp-links-max=4 mlp-links-current=4

mlp-sess-id=1 protocol=ip addr=209.165.200.225 

Active Accounted actions on , User (not logged in) Priv 0

 Task ID 1, Resource-management Accounting record, 06:21:47 Elapsed

 task_id=1 timezone=PDT rm-protocol-version=1.0

service=resource-management

protocol=nas-status event=nas-start reason=reload 

     Overall Accounting Traffic

          Starts   Stops  Updates  Active  Drops

Exec           0       0        0       0       0

Network        8       4        0       4       0

Connect        0       0        0       0       0

Command        0       0        0       0       0

Rsrc-mgmt      1       0        0       1       0

System         0       0        0       0       0

User creates:21, frees:9, Acctinfo mallocs:15, frees:6

Users freed with accounting unaccounted for:0

Queue length:0

Table 2 describes the fields contained in this display.

Table 12 show accounting Field Descriptions

Field	Description
Active Accounted actions on	Terminal line or interface name with which the user logged in.
User	ID of the user.
Priv	Privilege level of the user.
Task ID	Unique identifier for each accounting session.
Accounting record	Type of accounting session.
Elapsed	Length of time (hh:mm:ss) for this session type.

Related Commands

Command	Description
aaa accounting	Enables AAA accounting of requested services for billing or security purposes.
show aaa user	Displays attributes related to an AAA session.
show line	Displays the parameters of a terminal line.
show users	Displays information about the active lines on the router.