-
Cisco IOS Security Configuration Guide, Release 12.4T
-
Security Overview
- Authentication, Authorization, and Accounting (AAA)
-
Security Server Protocols
-
RADIUS
-
Configuring RADIUS
-
AAA Dead-Server Detection
-
AAA-SERVER-MIB Set Operation
-
ACL Default Direction
-
Attribute Screening for Access Requests
-
Enable Multilink PPP via RADIUS for Preauthentication User
-
Enhanced Test Command
-
Framed-Route in RADIUS Accounting
-
Offload Server Accounting Enhancement
-
Per VRF AAA
-
RFC-2867 RADIUS Tunnel Accounting
-
RADIUS Attribute Screening
-
RADIUS Centralized Filter Management
-
RADIUS Debug Enhancements
-
RADIUS Logical Line ID
-
RADIUS NAS-IP-Address Attribute Configurability
-
RADIUS Route Download
-
RADIUS Server Load Balancing
-
RADIUS Support of 56-Bit Acct Session-Id
-
RADIUS Tunnel Preference for Load Balancing and Fail-Over
-
RADIUS Server Reorder on Failure
-
Tunnel Authentication via RADIUS on Tunnel Terminator
-
- TACACS+
-
Configuring Kerberos
-
RADIUS
-
Traffic Filtering, Firewalls, and Virus Detection
-
Automatic Signature Extraction
-
Access Control Lists (ACLs)
-
IP Access List Features Roadmap
-
IP Access List Overview
-
Creating an IP Access List and Applying It to an Interface
-
Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports, or TTL Values
-
ACL Syslog Correlation
-
Refining an IP Access List
-
Object Groups for ACLs
-
Displaying and Clearing IP Access List Data Using ACL Manageability
-
Controlling Access to a Virtual Terminal Line
-
Cisco IOS Firewall Overview
-
Configuring Lock-and-Key Security (Dynamic Access Lists)
-
Configuring IP Session Filtering (Reflexive Access Lists)
-
Configuring TCP Intercept (Preventing Denial-of-Service Attacks)
-
-
Configuring Context-Based Access Control
-
Configuring Context-based Access Control
-
Application Firewall - Instant Message Traffic Enforcement
-
Cisco IOS Firewall MIB
-
Cisco IOS Firewall Performance Improvements
-
Cisco IOS Firewall: SIP Enhancements: ALG and AIC
-
Email Inspection Engine
-
ESMTP Support for Cisco IOS Firewall
-
Firewall ACL Bypass
-
Firewall N2H2 Support
-
Firewall Stateful Inspection of ICMP
-
Firewall Support for SIP
-
Firewall Websense URL Filtering
-
Firewall Support of Skinny Client Control Protocol (SCCP)
-
Granular Protocol Inspection
-
H.323 RAS Support in Cisco IOS Firewall
-
HTTP Inspection Engine
-
Inspection of Router-Generated Traffic
-
TCP Out-of-Order Packet Support for Cisco IOS Firewall and Cisco IOS IPS
-
Transparent Cisco IOS Firewall
-
User Based Firewall Support
-
Virtual Fragmentation Reassembly
-
VRF Aware Cisco IOS Firewall
-
Zone-Based Policy Firewall
-
- Cisco IOS Intrusion Prevention System (IPS)
-
Flexible Packet Matching
-
Flexible Packet Matching XML Configuration
- Network Admission Control (NAC)
- Authentication Proxy
-
Configuring Port to Application Mapping
-
Lawful Intercept Architecture
-
-
IPSec and IKE
- Internet Key Exchange for IPSec VPNs
-
Security for VPNs with IPSec
-
Configuring Security for VPNs with IPSec
-
Cisco Easy VPN Remote
-
Cisco Group Encrypted Transport VPN
-
Crypto Access Check on Clear-Text Packets
-
DF Bit Override Functionality with IPSec Tunnels
-
Distinguished Name Based Crypto Maps
-
Dynamic Multipoint VPN (DMVPN)
-
Easy VPN Remote RSA Signature Support
-
Easy VPN Server
-
Invalid Security Parameter Index Recovery
-
IP Security VPN Monitoring
-
IPSec and IKE MIB Support for Cisco VRF-Aware IPSec
-
IPSec and Quality of Service
-
IPSec Anti-Replay Window: Expanding and Disabling
-
IPSec Dead Peer Detection Periodic Message Option
-
IPSec Diagnostics Enhancement
-
IPSec NAT Transparency
-
IPSec Preferred Peer
-
IPSec Security Association Idle Timers
-
IPSec--SNMP Support
-
IPsec Usability Enhancements
-
IPSec Virtual Tunnel Interface
-
IPSec VPN Accounting
-
IPSec VPN High Availability Enhancements
-
Low Latency Queueing (LLQ) for IPSec Encryption Engines
-
L2TP—IPSec Support for NAT and PAT Windows Clients
-
Per Tunnel QoS
-
Pre-Fragmentation for IPSec VPNs
-
Real-Time Resolution for IPSec Tunnel Peer
-
Reverse Route Injection
-
SafeNet IPSec VPN Client Support
-
Stateful Failover for IPSec
-
VRF-Aware Ipsec
-
-
Public Key Infrastructure (PKI)
-
Implementing and Managing PKI Features Roadmap
-
Cisco IOS PKI Overview: Understanding and Planning a PKI
-
Deploying RSA Keys Within a PKI
-
Configuring Authorization and Revocation of Certificates in a PKI
-
Configuring Certificate Enrollment for a PKI
-
Setting Up Secure Device Provisioning (SDP) for Enrollment in a PKI
-
Configuring and Managing a Cisco IOS Certificate Server for PKI Deployment
-
Storing PKI Credentials
-
- Other Security Features
- Secure Infrastructure
-
Appendixes
-
RADIUS Attributes
-
RADIUS Attributes Overview and RADIUS IETF Attributes
-
RADIUS Vendor-Proprietary Attributes
-
Vendor-Specific Attributes (VSA) and RADIUS Disconnect-Cause Attribute Values
-
Connect-Info RADIUS Attribute 77
-
Encrypted Vendor Specific Attributes
-
Local AAA Server
-
Per-User QoS via AAA Policy Name
-
RADIUS Attribute 5 (NAS-Port) Format Specified on a Per-Server Group Level
-
RADIUS Attribute 8 (Framed-IP-Address) in Access Requests
-
RADIUS Attribute 82: Tunnel Assignment ID
-
RADIUS Attribute 104
-
RADIUS Progress Codes
-
RADIUS Timeout Set During Pre-Authentication
-
RADIUS Tunnel Attribute Extensions
-
V.92 Reporting Using RADIUS Attribute v.92-info
-
-
TACACS+ Attribute-Value Pairs
-
RADIUS Attributes
-
Table Of Contents
Prerequisites for Configuring Accounting
Restrictions for Configuring Accounting
Information About Configuring Accounting
Named Method Lists for Accounting
Method Lists and Server Groups
How to Configure AAA Accounting
Configuring AAA Accounting Using Named Method Lists
Suppressing Generation of Accounting Records for Null Username Sessions
Generating Interim Accounting Records
Generating Accounting Records for Failed Login or Session
Specifying Accounting NETWORK-Stop Records Before EXEC-Stop Records
Configuring AAA Resource Failure Stop Accounting
Configuring AAA Resource Accounting for Start-Stop Records
Configuring AAA Broadcast Accounting
Configuring Per-DNIS AAA Broadcast Accounting
Establishing a Session with a Router if the AAA Server is Unreachable
Accounting Attribute-Value Pairs
Configuration Examples for AAA Accounting
Configuring Named Method List: Example
Configuring AAA Resource Accounting: Example
Configuring AAA Broadcast Accounting: Example
Configuring Per-DNIS AAA Broadcast Accounting: Example
Feature Information for Configuring Accounting
Configuring Accounting
The AAA accounting feature allows the services that users are accessing and the amount of network resources that users are consuming to be tracked. When AAA accounting is enabled, the network access server reports user activity to the TACACS+ or RADIUS security server (depending on which security method is implemented) in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, and auditing.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Configuring Accounting" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS, Catalyst OS, and Cisco IOS XE software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
Prerequisites for Configuring Accounting
•
•
•
•
•
•
Prerequisites for Configuring Accounting
The following tasks must be performed before configuring accounting using named method lists:
•
•
Restrictions for Configuring Accounting
The AAA Accounting feature has the following restrictions:
•
•
ssg accounting interval command, the interim accounting records are sent only to the configured default RADIUS server.Information About Configuring Accounting
The following sections discuss how Accounting feature:
•
Named Method Lists for Accounting
Like authentication and authorization method lists, method lists for accounting define the way accounting is performed and the sequence in which these methods are performed.
Named accounting method lists allow particular security protocol to be designated and used on specific lines or interfaces for accounting services. The only exception is the default method list (which, by coincidence, is named "default"). The default method list is automatically applied to all interfaces except those that have a named method list explicitly defined. A defined method list overrides the default method list.
A method list is simply a named list describing the accounting methods to be queried (such as RADIUS or TACACS+), in sequence. Method lists allow one or more security protocols to be designated and used for accounting, thus ensuring a backup system for accounting in case the initial method fails. Cisco IOS software uses the first method listed to support accounting; if that method fails to respond, the Cisco IOS software selects the next accounting method listed in the method list. This process continues until there is successful communication with a listed accounting method, or all methods defined are exhausted.
Note
Accounting method lists are specific to the type of accounting being requested. AAA supports six different types of accounting:
•
•
•
•
•
•
Note
Once again, when a named method list is created, a particular list of accounting methods for the indicated accounting type are defined.
Accounting method lists must be applied to specific lines or interfaces before any of the defined methods are performed. The only exception is the default method list (which is named "default"). If the aaa accounting command for a particular accounting type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, then no accounting takes place.
This section includes the following subsections:
•
Method Lists and Server Groups
A server group is a way to group existing RADIUS or TACACS+ server hosts for use in method lists. Figure 1 shows a typical AAA network configuration that includes four security servers: R1 and R2 are RADIUS servers, and T1 and T2 are TACACS+ servers. R1 and R2 comprise the group of RADIUS servers. T1 and T2 comprise the group of TACACS+ servers.
Figure 1 Typical AAA Network Configuration
In Cisco IOS software, RADIUS and TACACS+ server configurations are global. A subset of the configured server hosts can be specified using server groups. These server groups can be used for a particular service. For example, server groups allow R1 and R2 to be defined as separate server groups (SG1 and SG2), and T1 and T2 as separate server groups (SG3 and SG4). This means either R1 and T1 (SG1 and SG3) can be specified in the method list or R2 and T2 (SG2 and SG4) in the method list, which provides more flexibility in the way that RADIUS and TACACS+ resources are assigned.
Server groups also can include multiple host entries for the same server, as long as each entry has a unique identifier. The combination of an IP address and a UDP port number creates a unique identifier, allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service. In other words, this unique identifier enables RADIUS requests to be sent to different UDP ports on a server at the same IP address. If two different host entries on the same RADIUS server are configured for the same service—for example, accounting—the second host entry configured acts as failover backup to the first one. Using this example, if the first host entry fails to provide accounting services, the network access server tries the second host entry configured on the same device for accounting services. (The RADIUS host entries are tried in the order in which they are configured.)
For more information about configuring server groups and about configuring server groups based on DNIS numbers, see "Configuring RADIUS" or "Configuring TACACS+" in the Cisco IOS Security Configuration Guide.
AAA Accounting Methods
Cisco IOS supports the following two methods for accounting:
•
•
AAA Accounting Types
AAA supports six different accounting types:
Network Accounting
Network accounting provides information for all PPP, SLIP, or ARAP sessions, including packet and byte counts.
The following example shows the information contained in a RADIUS network accounting record for a PPP user who comes in through an EXEC session:
Wed Jun 27 04:44:45 2001NAS-IP-Address = "172.16.25.15"NAS-Port = 5User-Name = "username1"Client-Port-DNIS = "4327528"Caller-ID = "562"Acct-Status-Type = StartAcct-Authentic = RADIUSService-Type = Exec-UserAcct-Session-Id = "0000000D"Acct-Delay-Time = 0User-Id = "username1"NAS-Identifier = "172.16.25.15"Wed Jun 27 04:45:00 2001NAS-IP-Address = "172.16.25.15"NAS-Port = 5User-Name = "username1"Client-Port-DNIS = "4327528"Caller-ID = "562"Acct-Status-Type = StartAcct-Authentic = RADIUSService-Type = FramedAcct-Session-Id = "0000000E"Framed-IP-Address = "10.1.1.2"Framed-Protocol = PPPAcct-Delay-Time = 0User-Id = "username1"NAS-Identifier = "172.16.25.15"Wed Jun 27 04:47:46 2001NAS-IP-Address = "172.16.25.15"NAS-Port = 5User-Name = "username1"Client-Port-DNIS = "4327528"Caller-ID = "562"Acct-Status-Type = StopAcct-Authentic = RADIUSService-Type = FramedAcct-Session-Id = "0000000E"Framed-IP-Address = "10.1.1.2"Framed-Protocol = PPPAcct-Input-Octets = 3075Acct-Output-Octets = 167Acct-Input-Packets = 39Acct-Output-Packets = 9Acct-Session-Time = 171Acct-Delay-Time = 0User-Id = "username1"NAS-Identifier = "172.16.25.15"Wed Jun 27 04:48:45 2001NAS-IP-Address = "172.16.25.15"NAS-Port = 5User-Name = "username1"Client-Port-DNIS = "4327528"Caller-ID = "408"Acct-Status-Type = StopAcct-Authentic = RADIUSService-Type = Exec-UserAcct-Session-Id = "0000000D"Acct-Delay-Time = 0User-Id = "username1"NAS-Identifier = "172.16.25.15"The following example shows the information contained in a TACACS+ network accounting record for a PPP user who first started an EXEC session:
Wed Jun 27 04:00:35 2001 172.16.25.15 username1 tty4 562/4327528 starttask_id=28 service=shellWed Jun 27 04:00:46 2001 172.16.25.15 username1 tty4 562/4327528 starttask_id=30 addr=10.1.1.1 service=pppWed Jun 27 04:00:49 2001 172.16.25.15 username1 tty4 408/4327528 update task_id=30 addr=10.1.1.1 service=ppp protocol=ip addr=10.1.1.1Wed Jun 27 04:01:31 2001 172.16.25.15 username1 tty4 562/4327528 stoptask_id=30 addr=10.1.1.1 service=ppp protocol=ip addr=10.1.1.1 bytes_in=2844 bytes_out=1682 paks_in=36 paks_out=24 elapsed_time=51Wed Jun 27 04:01:32 2001 172.16.25.15 username1 tty4 562/4327528 stoptask_id=28 service=shell elapsed_time=57
Note
The following example shows the information contained in a RADIUS network accounting record for a PPP user who comes in through autoselect:
Wed Jun 27 04:30:52 2001NAS-IP-Address = "172.16.25.15"NAS-Port = 3User-Name = "username1"Client-Port-DNIS = "4327528"Caller-ID = "562"Acct-Status-Type = StartAcct-Authentic = RADIUSService-Type = FramedAcct-Session-Id = "0000000B"Framed-Protocol = PPPAcct-Delay-Time = 0User-Id = "username1"NAS-Identifier = "172.16.25.15"Wed Jun 27 04:36:49 2001NAS-IP-Address = "172.16.25.15"NAS-Port = 3User-Name = "username1"Client-Port-DNIS = "4327528"Caller-ID = "562"Acct-Status-Type = StopAcct-Authentic = RADIUSService-Type = FramedAcct-Session-Id = "0000000B"Framed-Protocol = PPPFramed-IP-Address = "10.1.1.1"Acct-Input-Octets = 8630Acct-Output-Octets = 5722Acct-Input-Packets = 94Acct-Output-Packets = 64Acct-Session-Time = 357Acct-Delay-Time = 0User-Id = "username1"NAS-Identifier = "172.16.25.15"The following example shows the information contained in a TACACS+ network accounting record for a PPP user who comes in through autoselect:
Wed Jun 27 04:02:19 2001 172.16.25.15 username1 Async5 562/4327528 starttask_id=35 service=pppWed Jun 27 04:02:25 2001 172.16.25.15 username1 Async5 562/4327528 update task_id=35 service=ppp protocol=ip addr=10.1.1.2Wed Jun 27 04:05:03 2001 172.16.25.15 username1 Async5 562/4327528 stoptask_id=35 service=ppp protocol=ip addr=10.1.1.2 bytes_in=3366 bytes_out=2149 paks_in=42 paks_out=28 elapsed_time=164Connection Accounting
Connection accounting provides information about all outbound connections made from the network access server, such as Telnet, local-area transport (LAT), TN3270, packet assembler/disassembler (PAD), and rlogin.
The following example shows the information contained in a RADIUS connection accounting record for an outbound Telnet connection:
Wed Jun 27 04:28:00 2001NAS-IP-Address = "172.16.25.15"NAS-Port = 2User-Name = "username1"Client-Port-DNIS = "4327528"Caller-ID = "5622329477"Acct-Status-Type = StartAcct-Authentic = RADIUSService-Type = LoginAcct-Session-Id = "00000008"Login-Service = TelnetLogin-IP-Host = "10.68.202.158"Acct-Delay-Time = 0User-Id = "username1"NAS-Identifier = "172.16.25.15"Wed Jun 27 04:28:39 2001NAS-IP-Address = "172.16.25.15"NAS-Port = 2User-Name = "username1"Client-Port-DNIS = "4327528"Caller-ID = "5622329477"Acct-Status-Type = StopAcct-Authentic = RADIUSService-Type = LoginAcct-Session-Id = "00000008"Login-Service = TelnetLogin-IP-Host = "10.68.202.158"Acct-Input-Octets = 10774Acct-Output-Octets = 112Acct-Input-Packets = 91Acct-Output-Packets = 99Acct-Session-Time = 39Acct-Delay-Time = 0User-Id = "username1"NAS-Identifier = "172.16.25.15"The following example shows the information contained in a TACACS+ connection accounting record for an outbound Telnet connection:
Wed Jun 27 03:47:43 2001 172.16.25.15 username1 tty3 5622329430/4327528 start task_id=10 service=connection protocol=telnet addr=10.68.202.158 cmd=telnet username1-sunWed Jun 27 03:48:38 2001 172.16.25.15 username1 tty3 5622329430/4327528 stop task_id=10 service=connection protocol=telnet addr=10.68.202.158 cmd=telnet username1-sun bytes_in=4467 bytes_out=96 paks_in=61 paks_out=72 elapsed_time=55The following example shows the information contained in a RADIUS connection accounting record for an outbound rlogin connection:
Wed Jun 27 04:29:48 2001NAS-IP-Address = "172.16.25.15"NAS-Port = 2User-Name = "username1"Client-Port-DNIS = "4327528"Caller-ID = "5622329477"Acct-Status-Type = StartAcct-Authentic = RADIUSService-Type = LoginAcct-Session-Id = "0000000A"Login-Service = RloginLogin-IP-Host = "10.68.202.158"Acct-Delay-Time = 0User-Id = "username1"NAS-Identifier = "172.16.25.15"Wed Jun 27 04:30:09 2001NAS-IP-Address = "172.16.25.15"NAS-Port = 2User-Name = "username1"Client-Port-DNIS = "4327528"Caller-ID = "5622329477"Acct-Status-Type = StopAcct-Authentic = RADIUSService-Type = LoginAcct-Session-Id = "0000000A"Login-Service = RloginLogin-IP-Host = "10.68.202.158"Acct-Input-Octets = 18686Acct-Output-Octets = 86Acct-Input-Packets = 90Acct-Output-Packets = 68Acct-Session-Time = 22Acct-Delay-Time = 0User-Id = "username1"NAS-Identifier = "172.16.25.15"The following example shows the information contained in a TACACS+ connection accounting record for an outbound rlogin connection:
Wed Jun 27 03:48:46 2001 172.16.25.15 username1 tty3 5622329430/4327528 start task_id=12 service=connection protocol=rlogin addr=10.68.202.158 cmd=rlogin username1-sun /user username1Wed Jun 27 03:51:37 2001 172.16.25.15 username1 tty3 5622329430/4327528 stop task_id=12 service=connection protocol=rlogin addr=10.68.202.158 cmd=rlogin username1-sun /user username1 bytes_in=659926 bytes_out=138 paks_in=2378 paks_out=1251 elapsed_time=171The following example shows the information contained in a TACACS+ connection accounting record for an outbound LAT connection:
Wed Jun 27 03:53:06 2001 172.16.25.15 username1 tty3 5622329430/4327528 start task_id=18 service=connection protocol=lat addr=VAX cmd=lat VAXWed Jun 27 03:54:15 2001 172.16.25.15 username1 tty3 5622329430/4327528 stop task_id=18 service=connection protocol=lat addr=VAX cmd=lat VAX bytes_in=0 bytes_out=0 paks_in=0 paks_out=0 elapsed_time=6EXEC Accounting
EXEC accounting provides information about user EXEC terminal sessions (user shells) on the network access server, including username, date, start and stop times, the access server IP address, and (for dial-in users) the telephone number the call originated from.
The following example shows the information contained in a RADIUS EXEC accounting record for a dial-in user:
Wed Jun 27 04:26:23 2001NAS-IP-Address = "172.16.25.15"NAS-Port = 1User-Name = "username1"Client-Port-DNIS = "4327528"Caller-ID = "5622329483"Acct-Status-Type = StartAcct-Authentic = RADIUSService-Type = Exec-UserAcct-Session-Id = "00000006"Acct-Delay-Time = 0User-Id = "username1"NAS-Identifier = "172.16.25.15"Wed Jun 27 04:27:25 2001NAS-IP-Address = "172.16.25.15"NAS-Port = 1User-Name = "username1"Client-Port-DNIS = "4327528"Caller-ID = "5622329483"Acct-Status-Type = StopAcct-Authentic = RADIUSService-Type = Exec-UserAcct-Session-Id = "00000006"Acct-Session-Time = 62Acct-Delay-Time = 0User-Id = "username1"NAS-Identifier = "172.16.25.15"The following example shows the information contained in a TACACS+ EXEC accounting record for a dial-in user:
Wed Jun 27 03:46:21 2001 172.16.25.15 username1 tty3 5622329430/4327528 start task_id=2 service=shellWed Jun 27 04:08:55 2001 172.16.25.15 username1 tty3 5622329430/4327528 stop task_id=2 service=shell elapsed_time=1354The following example shows the information contained in a RADIUS EXEC accounting record for a Telnet user:
Wed Jun 27 04:48:32 2001NAS-IP-Address = "172.16.25.15"NAS-Port = 26User-Name = "username1"Caller-ID = "10.68.202.158"Acct-Status-Type = StartAcct-Authentic = RADIUSService-Type = Exec-UserAcct-Session-Id = "00000010"Acct-Delay-Time = 0User-Id = "username1"NAS-Identifier = "172.16.25.15"Wed Jun 27 04:48:46 2001NAS-IP-Address = "172.16.25.15"NAS-Port = 26User-Name = "username1"Caller-ID = "10.68.202.158"Acct-Status-Type = StopAcct-Authentic = RADIUSService-Type = Exec-UserAcct-Session-Id = "00000010"Acct-Session-Time = 14Acct-Delay-Time = 0User-Id = "username1"NAS-Identifier = "172.16.25.15"The following example shows the information contained in a TACACS+ EXEC accounting record for a Telnet user:
Wed Jun 27 04:06:53 2001 172.16.25.15 username1 tty26 10.68.202.158 starttask_id=41 service=shellWed Jun 27 04:07:02 2001 172.16.25.15 username1 tty26 10.68.202.158 stoptask_id=41 service=shell elapsed_time=9System Accounting
System accounting provides information about all system-level events (for example, when the system reboots or when accounting is turned on or off).
The following accounting record shows a typical TACACS+ system accounting record server indicating that AAA accounting has been turned off:
Wed Jun 27 03:55:32 2001 172.16.25.15 unknown unknown unknown start task_id=25 service=system event=sys_acct reason=reconfigure
Note
The following accounting record shows a TACACS+ system accounting record indicating that AAA accounting has been turned on:
Wed Jun 27 03:55:22 2001 172.16.25.15 unknown unknown unknown stop task_id=23 service=system event=sys_acct reason=reconfigureAdditional tasks for measuring system resources are covered in the Cisco IOS software configuration guides. For example, IP accounting tasks are described in the chapter"Configuring IP Services" in the Cisco IOS Application Services Configuration Guide.
Command Accounting
Command accounting provides information about the EXEC shell commands for a specified privilege level that are being executed on a network access server. Each command accounting record includes a list of the commands executed for that privilege level, as well as the date and time each command was executed, and the user who executed it.
The following example shows the information contained in a TACACS+ command accounting record for privilege level 1:
Wed Jun 27 03:46:47 2001 172.16.25.15 username1 tty3 5622329430/4327528 stop task_id=3 service=shell priv-lvl=1 cmd=show version <cr>Wed Jun 27 03:46:58 2001 172.16.25.15 username1 tty3 5622329430/4327528 stop task_id=4 service=shell priv-lvl=1 cmd=show interfaces Ethernet 0 <cr>Wed Jun 27 03:47:03 2001 172.16.25.15 username1 tty3 5622329430/4327528 stop task_id=5 service=shell priv-lvl=1 cmd=show ip route <cr>The following example shows the information contained in a TACACS+ command accounting record for privilege level 15:
Wed Jun 27 03:47:17 2001 172.16.25.15 username1 tty3 5622329430/4327528 stop task_id=6 service=shell priv-lvl=15 cmd=configure terminal <cr>Wed Jun 27 03:47:21 2001 172.16.25.15 username1 tty3 5622329430/4327528 stop task_id=7 service=shell priv-lvl=15 cmd=interface Serial 0 <cr>Wed Jun 27 03:47:29 2001 172.16.25.15 username1 tty3 5622329430/4327528 stop task_id=8 service=shell priv-lvl=15 cmd=ip address 10.
