aaa accounting
To enable authentication, authorization, and accounting (AAA) accounting of requested services for billing or security purposes when you use RADIUS or TACACS+, use the aaa accounting command in global configuration mode. To disable AAA accounting, use the no form of this command.
aaa accounting { auth-proxy | system | network | exec | connections | commands level} { default | list-name} { start-stop | stop-only | none} [ broadcast] group group-name
no aaa accounting { auth-proxy | system | network | exec | connections | commands level} { default | list-name} { start-stop | stop-only | none} [ broadcast] group group-name
Syntax Description
auth-proxy | Provides information about all authenticated-proxy user events. |
system | Performs accounting for all system-level events not associated with users, such as reloads. |
network | Runs accounting for all network-related service requests. |
exec |
Runs accounting for EXEC shell session. This keyword might return user profile information such as what is generated by the autocommand command. |
connection |
Provides information about all outbound connections made from the network access server. |
commands level |
Runs accounting for all commands at the specified privilege level. Valid privilege level entries are integers from 0 through 15. |
default |
Uses the listed accounting methods that follow this argument as the default list of methods for accounting services. |
list-name |
Character string used to name the list of at least one of the accounting methods described in |
start-stop |
Sends a "start" accounting notice at the beginning of a process and a "stop" accounting notice at the end of a process. The "start" accounting record is sent in the background. The requested user process begins regardless of whether the "start" accounting notice was received by the accounting server. |
stop-only |
Sends a "stop" accounting notice at the end of the requested user process. |
none |
Disables accounting services on this line or interface. |
broadcast |
(Optional) Enables sending accounting records to multiple AAA servers. Simultaneously sends accounting records to the first server in each group. If the first server is unavailable, fail over occurs using the backup servers defined within that group. |
group groupname |
At least one of the keywords described in the AAA Accounting Methods table. |
Command Default
AAA accounting is disabled.
Command Modes
Global configuration (config)
Command History
Release |
Modification |
---|---|
Cisco IOS XE Everest 16.5.1a |
This command was introduced. |
Usage Guidelines
Use the aaa accounting command to enable accounting and to create named method lists defining specific accounting methods on a per-line or per-interface basis.
Keyword |
Description |
---|---|
group radius |
Uses the list of all RADIUS servers for authentication as defined by the aaa group server radius command. |
group tacacs+ |
Uses the list of all TACACS+ servers for authentication as defined by the aaa group server tacacs+ command. |
group group-name |
Uses a subset of RADIUS or TACACS+ servers for accounting as defined by the server group group-name. |
In AAA Accounting Methods table, the group radius and group tacacs+ methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius server and tacacs server commands to configure the host servers. Use the aaa group server radius and aaa group server tacacs+ commands to create a named group of servers.
Cisco IOS XE software supports the following two methods of accounting:
-
RADIUS—The network access server reports user activity to the RADIUS security server in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server.
-
TACACS+—The network access server reports user activity to the TACACS+ security server in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server.
Method lists for accounting define the way accounting will be performed. Named accounting method lists enable you to designate a particular security protocol to be used on specific lines or interfaces for particular types of accounting services. Create a list by entering the list-name and the method , where list-name is any character string used to name this list (excluding the names of methods, such as radius or tacacs+) and method identifies the methods to be tried in sequence as given.
If the aaa accounting command for a particular accounting type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines (where this accounting type applies) except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, then no accounting takes place.
Note |
System accounting does not use named accounting lists; you can only define the default list for system accounting. |
For minimal accounting, include the stop-only keyword to send a stop record accounting notice at the end of the requested user process. For more accounting, you can include the start-stop keyword, so that RADIUS or TACACS+ sends a start accounting notice at the beginning of the requested process and a stop accounting notice at the end of the process. Accounting is stored only on the RADIUS or TACACS+ server. The none keyword disables accounting services for the specified line or interface.
When AAA accounting is activated, the network access server monitors either RADIUS accounting attributes or TACACS+ AV pairs pertinent to the connection, depending on the security method you have implemented. The network access server reports these attributes as accounting records, which are then stored in an accounting log on the security server.
Note |
This command cannot be used with TACACS or extended TACACS. |
Examples
This example defines a default commands accounting method list, where accounting services are provided by a TACACS+ security server, set for privilege level 15 commands with a stop-only restriction:
Device> enable
Device# configure terminal
Device(config)# aaa accounting commands 15 default stop-only group TACACS+
Device(config)# exit
This example defines a default auth-proxy accounting method list, where accounting services are provided by a TACACS+ security server with a stop-only restriction. The aaa accounting commands activates authentication proxy accounting.
Device> enable
Device# configure terminal
Device(config)# aaa new model
Device(config)# aaa authentication login default group TACACS+
Device(config)# aaa authorization auth-proxy default group TACACS+
Device(config)# aaa accounting auth-proxy default start-stop group TACACS+
Device(config)# exit