Cisco IOS Security Command Reference
aaa accounting through aaa local authentication attempts max-fail
Download this chapter
aaa accounting through aaa local authentication attempts max-failaaa accounting through aaa local authentication attempts max-fail
Download the complete book
Cisco IOS Security Command ReferenceCisco IOS Security Command Reference (PDF - 10 MB)
give_us_feedback

Table Of Contents

Security Commands

aaa accounting

aaa accounting connection h323

aaa accounting delay-start

aaa accounting gigawords

aaa accounting-list

aaa accounting nested

aaa accounting resource start-stop group

aaa accounting resource stop-failure group

aaa accounting send stop-record authentication

aaa accounting session-duration ntp-adjusted

aaa accounting suppress null-username

aaa accounting update

aaa attribute

aaa attribute list

aaa authentication (WebVPN)

aaa authentication arap

aaa authentication attempts login

aaa authentication auto (WebVPN)

aaa authentication banner

aaa authentication dot1x

aaa authentication enable default

aaa authentication eou default enable group radius

aaa authentication fail-message

aaa authentication login

aaa authentication nasi

aaa authentication password-prompt

aaa authentication ppp

aaa authentication sgbp

aaa authentication username-prompt

aaa authorization

aaa authorization cache filterserver

aaa authorization config-commands

aaa authorization console

aaa authorization list

aaa authorization reverse-access

aaa authorization template

aaa cache filter

aaa cache filterserver

aaa cache profile

aaa configuration route

aaa dnis map accounting network

aaa dnis map authentication group

aaa dnis map authorization network group

aaa group server diameter

aaa group server radius

aaa group server tacacs+

aaa local authentication attempts max-fail


Security Commands

aaa accounting

To enable authentication, authorization, and accounting (AAA) accounting of requested services for billing or security purposes when you use RADIUS or TACACS+, use the aaa accounting command in global configuration mode. To disable AAA accounting, use the no form of this command.

aaa accounting {auth-proxy | system | network | exec | connection | commands level | dot1x} {default | list-name | guarantee-first} [vrf vrf-name] {start-stop | stop-only | none} [broadcast] group group-name

no aaa accounting {auth-proxy | system | network | exec | connection | commands level | dot1x} {default | list-name | guarantee-first} [vrf vrf-name] {start-stop | stop-only | none} [broadcast] group group-name

Syntax Description

auth-proxy

Provides information about all authenticated-proxy user events.

system

Performs accounting for all system-level events not associated with users, such as reloads.

Note When system accounting is used and the accounting server is unreachable at system startup time, the system will not be accessible for approximately two minutes.

network

Runs accounting for all network-related service requests, including Serial Line Internet Protocol (SLIP), PPP, PPP Network Control Protocols (NCPs), and AppleTalk Remote Access Protocol (ARAP).

exec

Runs accounting for the EXEC shell session. This keyword might return user profile information such as what is generated by the autocommand command.

connection

Provides information about all outbound connections made from the network access server, such as Telnet, local-area transport (LAT), TN3270, packet assembler and disassembler (PAD), and rlogin.

commands level

Runs accounting for all commands at the specified privilege level. Valid privilege level entries are integers from 0 through 15.

dot1x

Provides information about all IEEE 802.1x-related user events.

default

Uses the listed accounting methods that follow this keyword as the default list of methods for accounting services.

list-name

Character string used to name the list of at least one of the following accounting methods:

group radius—Uses the list of all RADIUS servers for authentication as defined by the aaa group server radius command.

group tacacs+—Uses the list of all TACACS+ servers for authentication as defined by the aaa group server tacacs+ command.

group group-name—Uses a subset of RADIUS or TACACS+ servers for accounting as defined by the server group group-name argument.

guarantee-first

Guarantees system accounting as the first record.

vrf vrf-name

(Optional) Specifies a virtual routing and forwarding (VRF) configuration.

VRF is used only with system accounting.

start-stop

Sends a "start" accounting notice at the beginning of a process and a "stop" accounting notice at the end of a process. The "start" accounting record is sent in the background. The requested user process begins regardless of whether the "start" accounting notice was received by the accounting server.

stop-only

Sends a "stop" accounting notice at the end of the requested user process.

none

Disables accounting services on this line or interface.

broadcast

(Optional) Enables sending accounting records to multiple AAA servers. Simultaneously sends accounting records to the first server in each group. If the first server is unavailable, failover occurs using the backup servers defined within that group.

group group-name

Specifies the accounting method list. Enter at least one of the following keywords:

auth-proxy—Creates a method list to provide accounting information about all authenticated hosts that use the authentication proxy service.

commands—Creates a method list to provide accounting information about specific, individual EXEC commands associated with a specific privilege level.

connection—Creates a method list to provide accounting information about all outbound connections made from the network access server.

exec—Creates a method list to provide accounting records about user EXEC terminal sessions on the network access server, including username, date, and start and stop times.

network—Creates a method list to provide accounting information for SLIP, PPP, NCPs, and ARAP sessions.

resource—Creates a method list to provide accounting records for calls that have passed user authentication or calls that failed to be authenticated.

tunnel—Creates a method list to provide accounting records (Tunnel-Start, Tunnel-Stop, and Tunnel-Reject) for virtual private dialup network (VPDN) tunnel status changes.

tunnel-link—Creates a method list to provide accounting records (Tunnel-Link-Start, Tunnel-Link-Stop, and Tunnel-Link-Reject) for VPDN tunnel-link status changes.


Defaults

AAA accounting is disabled.

Command Modes

Global configuration (config)

Command History

Release
Modification

10.3

This command was introduced.

12.0(5)T

Group server support was added.

12.1(1)T

The broadcast keyword was introduced on the Cisco AS5300 and Cisco AS5800 universal access servers.

12.1(5)T

The auth-proxy keyword was added.

12.2(1)DX

The vrf keyword and vrf-name argument were introduced on the Cisco 7200 series and Cisco 7401ASR.

12.2(2)DD

This command was integrated into Cisco IOS Release 12.2(2)DD.

12.2(4)B

This command was integrated into Cisco IOS Release 12.2(4)B.

12.2(13)T

The vrf keyword and vrf-name argument were integrated into Cisco IOS Release 12.2(13)T.

12.2(15)B

The tunnel and tunnel-link accounting methods were introduced.

12.3(4)T

The tunnel and tunnel-link accounting methods were integrated into Cisco IOS Release 12.3(4)T.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.4(11)T

The dot1x keyword was integrated into Cisco IOS Release 12.4(11)T.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.(33)SXH.


Usage Guidelines

General Information

Use the aaa accounting command to enable accounting and to create named method lists that define specific accounting methods on a per-line or per-interface basis.

Table 9 contains descriptions of keywords for AAA accounting methods.

Table 9 aaa accounting Methods 

Keyword
Description

group radius

Uses the list of all RADIUS servers for authentication as defined by the aaa group server radius command.

group tacacs+

Uses the list of all TACACS+ servers for authentication as defined by the aaa group server tacacs+ command.

group group-name

Uses a subset of RADIUS or TACACS+ servers for accounting as defined by the server group group-name argument.


In Table 9, the group radius and group tacacs+ methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host and tacacs-server host commands to configure the host servers. Use the aaa group server radius and aaa group server tacacs+ commands to create a named group of servers.

Cisco IOS software supports the following two methods of accounting:

RADIUS—The network access server reports user activity to the RADIUS security server in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server.

TACACS+—The network access server reports user activity to the TACACS+ security server in the form of accounting records. Each accounting record contains accounting AV pairs and is stored on the security server.

Method lists for accounting define the way accounting will be performed. Named accounting method lists enable you to designate a particular security protocol to be used on specific lines or interfaces for particular types of accounting services. Create a list by entering values for the list-name argument where list-name is any character string used to name this list (excluding the names of methods, such as RADIUS or TACACS+) and method list keywords to identify the methods to be tried in sequence as given.

If the aaa accounting command for a particular accounting type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines (where this accounting type applies) except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, then no accounting takes place.

Note System accounting does not use named accounting lists; you can define the default list only for system accounting.

For minimal accounting, include the stop-only keyword to send a "stop" record accounting notice at the end of the requested user process. For more accounting, you can include the start-stop keyword, so that RADIUS or TACACS+ sends a "start" accounting notice at the beginning of the requested process and a "stop" accounting notice at the end of the process. Accounting is stored only on the RADIUS or TACACS+ server. The none keyword disables accounting services for the specified line or interface.

To specify an accounting configuration for a particular VRF, specify a default system accounting method list, and use the vrf keyword and vrf-name argument. System accounting does not have knowledge of VRF unless specified.

When AAA accounting is activated, the network access server monitors either RADIUS accounting attributes or TACACS+ AV pairs pertinent to the connection, depending on the security method you have implemented. The network access server reports these attributes as accounting records, which are then stored in an accounting log on the security server. For a list of supported RADIUS accounting attributes, see the appendix "RADIUS Attributes" in the Cisco IOS Security Configuration Guide. For a list of supported TACACS+ accounting AV pairs, see the appendix "TACACS+ Attribute-Value Pairs" in the Cisco IOS Security Configuration Guide.

Note This command cannot be used with TACACS or extended TACACS.

Cisco Service Selection Gateway Broadcast Accounting

To configure Cisco Service Selection Gateway (SSG) broadcast accounting, use ssg_broadcast_accounting for the list-name argument. For more information about configuring SSG, see the chapter "Configuring Accounting for SSG" in the Cisco IOS Service Selection Gateway Configuration Guide, Release 12.4.

Layer 2 LAN Switch Port

You must configure the RADIUS server to perform accounting tasks, such as logging start, stop, and interim-update messages and time stamps. To turn on these functions, enable logging of "Update/Watchdog packets from this AAA client" in your RADIUS server Network Configuration tab. Next, enable "CVS RADIUS Accounting" in your RADIUS server System Configuration tab.

You must enable AAA before you can enter the aaa accounting command. To enable AAA and 802.1X (port-based authentication), use the following global configuration mode commands:

aaa new-model

aaa authentication dot1x default group radius

dot1x system-auth-control

Use the show radius statistics command to display the number of RADIUS messages that do not receive the accounting response message.

Establishing a Session with a Router if the AAA Server is Unreachable

The aaa accounting system guarantee-first command guarantees system accounting as the first record, which is the default condition. In some situations, users may be prevented from starting a session on the console or terminal connection until after the system reloads, which can take more than three minutes.

To establish a console or telnet session with the router if the AAA server is unreachable when the router reloads, use the no aaa accounting system guarantee-first command.

Note Entering the no aaa accounting system guarantee-first command is not the only condition by which the console or telnet session can be started. For example, if the privileged EXEC session is being authenticated by TACACS and the TACACS server is not reachable, then the session cannot start.

Examples

The following example defines a default commands accounting method list, where accounting services are provided by a TACACS+ security server, set for privilege level 15 commands with a stop-only restriction. 

aaa accounting commands 15 default stop-only group tacacs+

The following example defines a default auth-proxy accounting method list, where accounting services are provided by a TACACS+ security server with a start-stop restriction. The aaa accounting command activates authentication proxy accounting. 

aaa new-model

aaa authentication login default group tacacs+

aaa authorization auth-proxy default group tacacs+

aaa accounting auth-proxy default start-stop group tacacs+

The following example defines a default system accounting method list, where accounting services are provided by RADIUS security server "server1" with a start-stop restriction. The aaa accounting command specifies accounting for vrf "vrf1." 

aaa accounting system default vrf vrf1 start-stop group server1

The following example defines a default IEEE 802.1x accounting method list, where accounting services are provided by a RADIUS server. The aaa accounting command activates IEEE 802.1x accounting. 

aaa new model

aaa authentication dot1x default group radius

aaa authorization dot1x default group radius

aaa accounting dot1x default start-stop group radius

The following example shows how to enable network accounting and send tunnel and tunnel-link accounting records to the RADIUS server. (Tunnel-Reject and Tunnel-Link-Reject accounting records are automatically sent if either start or stop records are configured.) 

aaa accounting network tunnel start-stop group radius

aaa accounting network session start-stop group radius

The following example shows how to enable IEEE 802.1x accounting: 

aaa accounting dot1x default start-stop group radius

aaa accounting system default start-stop group radius

Related Commands

Command
Description

aaa authentication dot1x

Specifies one or more AAA methods for use on interfaces running IEEE 802.1X.

aaa authentication ppp

Specifies one or more AAA authentication methods for use on serial interfaces running PPP.

aaa authorization

Sets parameters that restrict user access to a network.

aaa group server radius

Groups different RADIUS server hosts into distinct lists and distinct methods.

aaa group server tacacs+

Groups different server hosts into distinct lists and distinct methods.

aaa new-model

Enables the AAA access control model.

dot1x system-auth-control

Enables port-based authentication.

radius-server host

Specifies a RADIUS server host.

show radius statistics

Displays the RADIUS statistics for accounting and authentication packets.

tacacs-server host

Specifies a TACACS+ server host.


aaa accounting connection h323

To define the accounting method list H.323 using RADIUS as a method with either stop-only or start-stop accounting options, use the aaa accounting connection h323 command in global configuration mode. To disable the use of this accounting method list, use the no form of this command.

aaa accounting connection h323 {stop-only | start-stop | none} [broadcast] group groupname

no aaa accounting connection h323 {stop-only | start-stop | none} [broadcast] group groupname

Syntax Description

stop-only

Sends a "stop" accounting notice at the end of the requested user process.

start-stop

Sends a "start" accounting notice at the beginning of a process and a "stop" accounting notice at the end of a process. The "start" accounting record is sent in the background. The requested user process begins regardless of whether the "start" accounting notice was received by the accounting server.

none

Disables accounting services on this line or interface.

broadcast

(Optional) Enables sending accounting records to multiple AAA servers. Simultaneously sends accounting records to the first server in each group. If the first server is unavailable, failover occurs using the backup servers defined within that group.

group groupname

Specifies the server group to be used for accounting services. The following are valid server group names:

string: Character string used to name a server group.

radius: Uses list of all RADIUS hosts.

tacacs+: Uses list of all TACACS+ hosts.


Defaults

No accounting method list is defined.

Command Modes

Global configuration

Command History

Release
Modification

11.3(6)NA2

This command was introduced.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.


Usage Guidelines

This command creates a method list called h323 and is applied by default to all voice interfaces if the gw-accounting h323 command is also activated.

Examples

The following example enables authentication, authorization, and accounting (AAA) services, gateway accounting services, and defines a connection accounting method list (h323). The h323 accounting method lists specifies that RADIUS is the security protocol that will provide the accounting services, and that the RADIUS service will track start-stop records. 

aaa new model

gw-accounting h323

aaa accounting connection h323 start-stop group radius

Related Commands

Command
Description

gw-accounting

Enables the accounting method for collecting call detail records.


aaa accounting delay-start

To delay generation of accounting "start" records until the user IP address is established, use the aaa accounting delay-start command in global configuration mode. To disable this functionality, use the no form of this command.

aaa accounting delay-start [all] [vrf vrf-name]

no aaa accounting delay-start [all] [vrf vrf-name]

Syntax Description

all

(Optional) Extends the delay of accounting "start" records to all Virtual Route Forwarding (VRF) and non-VRF users.

vrf vrf-name

(Optional) Extends the delay of accounting "start" records to individual VRF users.


Defaults

Accounting records are not delayed.

Command Modes

Global configuration

Command History

Release
Modification

12.1

This command was introduced.

12.2(1)DX

The vrf keyword and vrf-name argument were introduced on the Cisco 7200 series and Cisco 7401ASR.

12.2(2)DD

This command was integrated into Cisco IOS Release 12.2(2)DD.

12.2(4)B

This command was integrated into Cisco IOS Release 12.2(4)B.

12.2(13)T

The vrf keyword and vrf-name argument were integrated into Cisco IOS Release 12.2(13)T.

12.3(1)

The all keyword was added.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.


Usage Guidelines

Use the aaa accounting delay-start command to delay generation of accounting "start" records until the IP address of the user has been established. Use the vrf vrf-name keyword and argument to delay accounting "start" records for individual Virtual Private Network (VPN) routing and forwarding (VRF) users or use the all keyword for all VRF and non-VRF users.

Note The aaa accounting delay-start command applies only to non-VRF users. If you have a mix of VRF and non-VRF users, configure either aaa accounting delay-start (for non-VRF users) or aaa accounting delay-start vrf {vrf-name} (for VRF users) or aaa accounting delay-start all (for all VRF and non-VRF users).

Examples

The following example shows how to delay accounting "start" records until the IP address of the user is established: 

aaa new-model

aaa authentication ppp default radius

aaa accounting network default start-stop group radius

aaa accounting delay-start

radius-server host 172.16.0.0 non-standard

radius-server key rad123

The following example shows that accounting "start" records are to be delayed to all VRF and non-VRF users: 

aaa new-model

aaa authentication ppp default radius

aaa accounting network default start-stop group radius

aaa accounting delay-start all

radius-server host 172.16.0.0 non-standard

radius-server key rad123

Related Commands

Command
Description

aaa accounting

Enables AAA accounting of requested services for billing or security purposes when you use RADIUS or TACACS+.

aaa authentication ppp

Specifies one or more AAA authentication methods for use on serial interfaces running PPP.

aaa authorization

Sets parameters that restrict user access to a network.

aaa new-model

Enables the AAA access control model.

radius-server host

Specifies a RADIUS server host.

tacacs-server host

Specifies a TACACS+ server host.


aaa accounting gigawords

To enable authentication, authorization, and accounting (AAA) 64-bit, high-capacity counters, use the aaa accounting gigawords command in global configuration mode. To disable the counters, use the no form of this command. (Note that gigaword support is automatically configured unless you unconfigure it using the no form of the command.)

aaa accounting gigawords

no aaa accounting gigawords

Syntax Description

This command has no arguments or keywords.

Defaults

If this command is not configured, the 64-bit, high-capacity counters that support RADIUS attributes 52 and 53 are automatically enabled.

Command Modes

Global configuration

Command History

Release
Modification

12.2(13.7)T

This command was introduced.


Usage Guidelines

The AAA high-capacity counter process takes approximately 8 percent CPU memory for 24,000 (24 K) sessions running under steady state.

If you have entered the no form of this command to turn off the 64-bit counters and you want to reenable them, you will need to enter the aaa accounting gigawords command. Also, once you have entered the no form of the command, it takes a reload of the router to actually disable the use of the 64-bit counters.

Note The aaa accounting gigawords command does not show up in the running configuration unless the no form of the command is used in the configuration.

Examples

The following example shows that the AAA 64-bit counters have been disabled: 

no aaa accounting gigawords

aaa accounting-list

To enable authentication, authorization, and accounting (AAA) accounting when you are using RADIUS for Secure Socket Layer Virtual Private Network (SSL VPN) sessions, use the aaa accounting-list command in global configuration mode. To disable the AAA accounting, use the no form of this command.

aaa accounting-list aaa-list

no aaa accounting-list aaa-list

Syntax Description

aaa-list

Name of the AAA accounting list that has been configured under global configuration.


Defaults

AAA accounting is not enabled.

Command Modes

Global configuration

Command History

Release
Modification

12.4(9)T

This command was introduced.


Usage Guidelines

Before configuring this command, ensure that the AAA accounting list has already been configured under global configuration.

Examples

The following example shows that AAA accounting has been configured for an SSL VPN session: 

Router (config)# aaa accounting-list aaalist1

Related Commands

Command
Description

aaa accounting network SSLVPN start-stop group radius

Enables AAA accounting of requested services for billing or security purposes when you use RADIUS or TACACS+.


aaa accounting nested

To specify that NETWORK records be generated, or nested, within EXEC "start" and "stop" records for PPP users who start EXEC terminal sessions, use the aaa accounting nested command in global configuration mode. To allow the sending of records for users with a NULL username, use the no form of this command.

aaa accounting nested [suppress stop]

no aaa accounting nested [suppress stop]

Syntax Description

suppress stop

(Optional) Prevents sending a multiple set of records (one from EXEC and one from PPP) for the same client.


Defaults

Disabled

Command Modes

Global configuration

Command History

Release
Modification

12.0(5)T

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.4(11)T

The suppress and stop keywords were added.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.


Usage Guidelines

Use the aaa accounting nested command when you want to specify that NETWORK records be nested within EXEC "start" and "stop" records, such as for PPP users who start EXEC terminal sessions. In some cases, such as billing customers for specific services, is can be desirable to keep NETWORK "start" and "stop" records together, essentially nesting them within the framework of the EXEC "start" and "stop" messages. For example, if you dial in using PPP, you can create the following records: EXEC-start, NETWORK-start, EXEC-stop, and NETWORK-stop. By using the aaa accounting nested command to generate accounting records, NETWORK-stop records follow NETWORK-start messages: EXEC-start, NETWORK-start, NETWORK-stop, EXEC-stop.

Use the aaa accounting nested suppress stop command to suppress the sending of EXEC accounting records and to send only PPP accounting records.

Examples

The following example enables nesting of NETWORK accounting records for user sessions: 

Router(config)# aaa accounting nested

The following example disables nesting of EXEC accounting records for user sessions: 

Router(config)# aaa accounting nested suppress stop

aaa accounting resource start-stop group

To enable full resource accounting, which will generate both a "start" record at call setup and a "stop" record at call termination, use the aaa accounting resource start-stop group command in global configuration mode. To disable full resource accounting, use the no form of this command.

aaa accounting resource method-list start-stop [broadcast] group groupname

no aaa accounting resource method-list start-stop [broadcast] group groupname

Syntax Description

method-list

Method used for accounting services. Use one of the following options:

default: Uses the listed accounting methods that follow this argument as the default list of methods for accounting services.

string: Character string used to name the list of accounting methods.

broadcast

(Optional) Enables sending accounting records to multiple AAA servers. Simultaneously sends accounting records to the first server in each group. If the first server is unavailable, failover occurs using the backup servers defined within that group.

groupname

Specifies the server group to be used for accounting services. The following are valid server group names:

string: Character string used to name a server group.

radius: Uses list of all RADIUS hosts.

tacacs+: Uses list of all TACACS+ hosts.


Defaults

No default behavior or values.

Command Modes

Global configuration

Command History

Release
Modification

12.1(3)T

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.


Usage Guidelines

Use the aaa accounting resource start-stop group command to send a "start" record at each call setup followed with a corresponding "stop" record at the call disconnect. There is a separate "call setup-call disconnect "start-stop" accounting record tracking the progress of the resource connection to the device, and a separate "user authentication start-stop accounting" record tracking the user management progress. These two sets of accounting records are interlinked by using a unique session ID for the call.

You may want to use this command to manage and monitor wholesale customers from one source of data reporting, such as accounting records.

Note Sending "start-stop" records for resource allocation along with user "start-stop" records during user authentication can lead to serious performance issues and is discouraged unless absolutely required.

All existing AAA accounting method list and server group options are made available to this command.

Examples

The following example shows how to configure resource accounting for "start-stop" records: 

aaa new-model

aaa authentication login AOL group radius local

aaa authentication ppp default group radius local

aaa authorization exec AOL group radius if-authenticated

aaa authorization network default group radius if-authenticated

aaa accounting exec default start-stop group radius

aaa accounting network default start-stop group radius

aaa accounting resource default start-stop group radius

Related Commands

Command
Description

aaa accounting start-stop failure

Enables resource failure stop accounting support, which will only generate a stop record at any point prior to user authentication if a call is terminated.


aaa accounting resource stop-failure group

To enable resource failure stop accounting support, which will generate a "stop" record at any point prior to user authentication only if a call is terminated, use the aaa accounting resource stop-failure group command in global configuration mode. To disable resource failure stop accounting, use the no form of this command.

aaa accounting resource method-list stop-failure [broadcast] group groupname

no aaa accounting resource method-list stop-failure [broadcast] group groupname

Syntax Description

method-list

Method used for accounting services. Use one of the following options:

default: Uses the listed accounting methods that follow this argument as the default list of methods for accounting services.

string: Character string used to name the list of accounting methods.

broadcast

(Optional) Enables sending accounting records to multiple AAA servers. Simultaneously sends accounting records to the first server in each group. If the first server is unavailable, failover occurs using the backup servers defined within that group.

groupname

Group to be used for accounting services. Use one of the following options:

string: Character string used to name a server group.

radius: Uses list of all RADIUS hosts.

tacacs+: Uses list of all TACACS+ hosts.


Defaults

No default behavior or values.

Command Modes

Global configuration

Command History

Release
Modification

12.1(3)T

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.


Usage Guidelines

Use the aaa accounting resource stop-failure group command to generate a "stop" record for any calls that do not reach user authentication; this function creates "stop" accounting records for the moment of call setup. All calls that pass user authentication will behave as before; that is, no additional accounting records will be seen.

All existing authentication, authorization, and accounting (AAA) accounting method list and server group options are made available to this command.

Examples

The following example shows how to configure "stop" accounting records from the moment of call setup: 

aaa new-model

aaa authentication login AOL group radius local

aaa authentication ppp default group radius local

aaa authorization exec AOL group radius if-authenticated

aaa authorization network default group radius if-authenticated

aaa accounting exec default start-stop group radius

aaa accounting network default start-stop group radius

aaa accounting resource default stop-failure group radius

Related Commands

Command
Description

aaa accounting resource start-stop group

Enables full resource accounting, which will generate both a "start" record at call setup and a "stop" record at call termination.


aaa accounting send stop-record authentication

To refine generation of authentication, authorization, and accounting (AAA) accounting "stop" records, use the aaa accounting send stop-record authentication command in global configuration mode. To end generation of accounting stop records, use the no form of this command with the appropriate keyword.

aaa accounting send stop-record authentication {failure | success {remote-server}} [vrf vrf-name]

Failed Calls: End Accounting Stop Record Generation

no aaa accounting send stop-record authentication failure {remote-server}

Successful Calls: End Accounting Stop Record Generation

no aaa accounting send stop-record authentication success {remote-server}

Syntax Description

failure

Used to generate accounting "stop" records for calls that fail to authenticate at login or during session negotiation.

success

Used to generate accounting "stop" records for calls that have

been authenticated by the remote AAA server. A "stop" record will be sent after the call is terminated.

not been authenticated by the remote AAA server a "stop" record will be sent if one of the following states is true:

The start record has been sent.

The call is successfully established and is terminated with the "stop-only" configuration.

remote-server

Used to specify that the remote server is to be used.

vrf vrf-name

(Optional) Used to enable this feature for a particular Virtual Private Network (VPN) routing and forwarding configuration.


Defaults

Accounting "stop" records are sent only if one of the following is true:

A start record has been sent.

The call is successfully established with the "stop-only" configuration and is terminated.

Command Modes

Global configuration

Command History

Release
Modification

12.0(5)T

This command was introduced.

12.2(1)DX

The vrf keyword and vrf-name argument were introduced on the Cisco 7200 series and Cisco 7401ASR.

12.2(2)DD

This command was integrated into Cisco IOS Release 12.2(2)DD.

12.2(4)B

This command was integrated into Cisco IOS Release 12.2(4)B.

12.2(13)T

The vrf keyword and vrf-name argument were added.

12.4(2)T

The success and remote-server keywords were added.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.


Usage Guidelines

When the aaa accounting command is activated, by default the Cisco IOS software does not generate accounting records for system users who fail login authentication or who succeed in login authentication but fail PPP negotiation for some reason. The aaa accounting command can be configured to sent a "stop" record using either the start-stop keyword or the stop-only keyword.

When the aaa accounting command is issued with either the start-stop keyword or the stop-only keyword, the "stop" records can be further configured with the aaa accounting send stop-record authentication command. The failure and success keywords are mutually exclusive. If you have the aaa accounting send stop-record authentication command enabled with the failure keyword and then enable the same command with the success keyword, accounting stop records will no longer be generated for failed calls. Accounting stop records will now be sent for successful calls only until you issue either of the following commands:

no aaa accounting send stop-record authentication success {remote-server}

aaa accounting send stop-record authentication failure {remote-server}

When using the failure keyword, a "stop" record will be sent for calls that are rejected during authentication.

When using the success keyword, a "stop" record will be sent for calls that meet one of the following criteria:

Calls that are authenticated by a remote AAA server when the call is terminated.

Calls that are not authenticated by a remote AAA server and the start record has been sent.

Calls that are successfully established and then terminated with the "stop-only" aaa accounting configuration.

Use the vrf vrf-name keyword and argument to generate accounting "stop" records per Virtual Private Network (VPN) routing and forwarding configuration.

Examples

The following example shows how to generate "stop" records for users who fail to authenticate at login or during session negotiation: 

aaa accounting send stop-record authentication failure

The following example shows "start" and "stop" records being sent for a successful call when the aaa accounting send stop-record authentication command is issued with the failure keyword: 

Router# show running config | include aaa 

.

.

.

aaa new-model 

aaa authentication ppp default group radius 

aaa authorization network default local 

aaa accounting send stop-record authentication failure 

aaa accounting network default start-stop group radius 

.

.

.

*Jul  7 03:28:31.543: AAA/BIND(00000018): Bind i/f Virtual-Template2 

*Jul  7 03:28:31.547: ppp14 AAA/AUTHOR/LCP: Authorization succeeds trivially 

*Jul  7 03:28:33.555: AAA/AUTHOR (0x18): Pick method list 'default'

*Jul  7 03:28:33.555: AAA/BIND(00000019): Bind i/f  

*Jul  7 03:28:33.555:  Tnl 5192 L2TP: O SCCRQ 

*Jul  7 03:28:33.555:  Tnl 5192 L2TP: O SCCRQ, flg TLS, ver 2, len 141, tnl 0, 

ns 0, nr 0

         C8 02 00 8D 00 00 00 00 00 00 00 00 80 08 00 00

         00 00 00 01 80 08 00 00 00 02 01 00 00 08 00 00

         00 06 11 30 80 10 00 00 00 07 4C 41 43 2D 74 75

         6E 6E 65 6C 00 19 00 00 00 08 43 69 73 63 6F 20

         53 79 73 74 65 6D 73 ...

*Jul  7 03:28:33.563:  Tnl 5192 L2TP: Parse  AVP 0, len 8, flag 0x8000 (M)

*Jul  7 03:28:33.563:  Tnl 5192 L2TP: Parse SCCRP

*Jul  7 03:28:33.563:  Tnl 5192 L2TP: Parse  AVP 2, len 8, flag 0x8000 (M)

*Jul  7 03:28:33.563:  Tnl 5192 L2TP: Protocol Ver 256

*Jul  7 03:28:33.563:  Tnl 5192 L2TP: Parse  AVP 3, len 10, flag 0x8000 (M)

*Jul  7 03:28:33.563:  Tnl 5192 L2TP: Framing Cap 0x0

*Jul  7 03:28:33.563:  Tnl 5192 L2TP: Parse  AVP 4, len 10, flag 0x8000 (M)

*Jul  7 03:28:33.567:  Tnl 5192 L2TP: Bearer Cap 0x0

*Jul  7 03:28:33.567:  Tnl 5192 L2TP: Parse  AVP 6, len 8, flag 0x0 

*Jul  7 03:28:33.567:  Tnl 5192 L2TP: Firmware Ver 0x1120

*Jul  7 03:28:33.567:  Tnl 5192 L2TP: Parse  AVP 7, len 16, flag 0x8000 (M)

*Jul  7 03:28:33.567:  Tnl 5192 L2TP: Hostname LNS-tunnel

*Jul  7 03:28:33.567:  Tnl 5192 L2TP: Parse  AVP 8, len 25, flag 0x0 

*Jul  7 03:28:33.567:  Tnl 5192 L2TP: Vendor Name Cisco Systems, Inc.

*Jul  7 03:28:33.567:  Tnl 5192 L2TP: Parse  AVP 9, len 8, flag 0x8000 (M)

*Jul  7 03:28:33.567:  Tnl 5192 L2TP: Assigned Tunnel ID 6897

*Jul  7 03:28:33.567:  Tnl 5192 L2TP: Parse  AVP 10, len 8, flag 0x8000 (M)

*Jul  7 03:28:33.567:  Tnl 5192 L2TP: Rx Window Size 20050

*Jul  7 03:28:33.567:  Tnl 5192 L2TP: Parse  AVP 11, len 22, flag 0x8000 (M)

*Jul  7 03:28:33.567:  Tnl 5192 L2TP: Chlng  

         81 13 03 F6 A8 E4 1D DD 25 18 25 6E 67 8C 7C 39

*Jul  7 03:28:33.567:  Tnl 5192 L2TP: Parse  AVP 13, len 22, flag 0x8000 (M)

*Jul  7 03:28:33.567:  Tnl 5192 L2TP: Chlng Resp  

         4D 52 91 DC 1A 43 B3 31 B4 F5 B8 E1 88 22 4F 41

*Jul  7 03:28:33.571:  Tnl 5192 L2TP: No missing AVPs in SCCRP

*Jul  7 03:28:33.571:  Tnl 5192 L2TP: I SCCRP, flg TLS, ver 2, len 157, tnl 

5192, ns 0, nr 1

contiguous pak, size 157

         C8 02 00 9D 14 48 00 00 00 00 00 01 80 08 00 00

         00 00 00 02 80 08 00 00 00 02 01 00 80 0A 00 00

         00 03 00 00 00 00 80 0A 00 00 00 04 00 00 00 00

         00 08 00 00 00 06 11 20 80 10 00 00 00 07 4C 4E

         53 2D 74 75 6E 6E 65 6C ...

*Jul  7 03:28:33.571:  Tnl 5192 L2TP: I SCCRP from LNS-tunnel

*Jul  7 03:28:33.571:  Tnl 5192 L2TP: O SCCCN  to LNS-tunnel tnlid 6897

*Jul  7 03:28:33.571:  Tnl 5192 L2TP: O SCCCN, flg TLS, ver 2, len 42, tnl 

6897, ns 1, nr 1

         C8 02 00 2A 1A F1 00 00 00 01 00 01 80 08 00 00

         00 00 00 03 80 16 00 00 00 0D 32 24 17 BC 6A 19

         B1 79 F3 F9 A9 D4 67 7D 9A DB

*Jul  7 03:28:33.571: uid:14 Tnl/Sn 5192/11 L2TP: O ICRQ to LNS-tunnel 6897/0

*Jul  7 03:28:33.571: uid:14 Tnl/Sn 5192/11 L2TP: O ICRQ, flg TLS, ver 2, len 

63, tnl 6897, lsid 11, rsid 0, ns 2, nr 1

         C8 02 00 3F 1A F1 00 00 00 02 00 01 80 08 00 00

         00 00 00 0A 80 0A 00 00 00 0F C8 14 B4 03 80 08

         00 00 00 0E 00 0B 80 0A 00 00 00 12 00 00 00 00

         00 0F 00 09 00 64 0F 10 09 02 02 00 1B 00 00

*Jul  7 03:28:33.575: uid:14 Tnl/Sn 5192/11 L2TP: Parse  AVP 0, len 8, flag 

0x8000 (M)

*Jul  7 03:28:33.575: uid:14 Tnl/Sn 5192/11 L2TP: Parse ICRP

*Jul  7 03:28:33.575: uid:14 Tnl/Sn 5192/11 L2TP: Parse  AVP 14, len 8, flag 

0x8000 (M)

*Jul  7 03:28:33.575: uid:14 Tnl/Sn 5192/11 L2TP: Assigned Call ID 5

*Jul  7 03:28:33.575: uid:14 Tnl/Sn 5192/11 L2TP: No missing AVPs in ICRP

*Jul  7 03:28:33.575: uid:14 Tnl/Sn 5192/11 L2TP: I ICRP, flg TLS, ver 2, len 

28, tnl 5192, lsid 11, rsid 0, ns 1, nr 3

contiguous pak, size 28

         C8 02 00 1C 14 48 00 0B 00 01 00 03 80 08 00 00

         00 00 00 0B 80 08 00 00 00 0E 00 05

*Jul  7 03:28:33.579: uid:14 Tnl/Sn 5192/11 L2TP: O ICCN to LNS-tunnel 6897/5

*Jul  7 03:28:33.579: uid:14 Tnl/Sn 5192/11 L2TP: O ICCN, flg TLS, ver 2, len 

167, tnl 6897, lsid 11, rsid 5, ns 3, nr 2

         C8 02 00 A7 1A F1 00 05 00 03 00 02 80 08 00 00

         00 00 00 0C 80 0A 00 00 00 18 06 1A 80 00 00 0A

         00 00 00 26 06 1A 80 00 80 0A 00 00 00 13 00 00

         00 01 00 15 00 00 00 1B 01 04 05 D4 03 05 C2 23

         05 05 06 0A 0B E2 7A ...

*Jul  7 03:28:33.579: RADIUS/ENCODE(00000018):Orig. component type = PPoE

*Jul  7 03:28:33.579: RADIUS(00000018): Config NAS IP: 0.