Accounting configuration

To enable, disable, or view user accounting on a server designated by the aaa-server command, use the aaa accounting command. Accounting is provided for all services, or it can be limited to one or more services. The user accounting services keep a record of which network services a user has accessed. These records are kept on the designated AAA server or servers. Accounting information is sent only to the active server in a server group unless simultaneous accounting is enabled. The aaa accounting command applies only to TACACS+ and RADIUS servers.

To enable the generation of an accounting record, the administrator identifies a traffic flow with an ACL and applies the ACL to the aaa accounting match command. In the example in Figure , the ACL 110 identifies the FTP and HTTP traffic flow from any host to the WWW server at IP address 192.168.2.10. The match acl_name option in the aaa accounting match command instructs the PIX Security Appliance to generate an accounting record when the action the user is trying to perform matches the actions specified in the ACL. Therefore, any time a user tries to access WWW server via FTP or HTTP an accounting record is generated and sent to the accounting server NY_ACS.

When user accounting records are configured to be kept on AAA server, traffic that is not specified by an include statement is not processed. In the example in Figure , accounting records are kept on the AAA server for all outbound connections except for those connections originating from host 10.0.0.34.

The syntaxes for the aaa accounting command is shown in Figure .

Console Session Accounting
The administrator can enable the generation of accounting records to mark the establishment and termination of PIX Security Appliance console access with the aaa accounting console command. In the example in Figure , the username and password for student1 are added to the PIX local database. Next, the administrator configures the PIX to authenticate all Telnet access sessions using the local database to authenticate users. Lastly, an accounting record is generated for each Telnet session. The record is sent to the NY_ACS server.

Command Accounting
When the aaa accounting command command is configured, each command entered by a user is recorded and sent to the accounting server or servers. The optional privilege specification indicates the minimum privilege level that must be associated with a command for an accounting record to be generated. This command applies only to TACACS+ servers. The name of the server or server group to which this command applies must be specified. In the example in Figure , the administrator configures the PIX Security Appliance to record all changes to the configuration by users accessing the PIX with privilege level 15 and lower.

Lab Activity

Lab Exercise: Configure Local AAA on the PIX Security Appliance

In this lab, students will configure a local user account. Students will then configure and test inbound and outbound authentication, telnet and http console access, and Virtual Telnet authentication. Finally, students will change and test authentication timeouts and prompts.

Resources

Resource: How to View Accounting Information in CSACS