To enable, disable, or view user accounting on a server designated
by the aaa-server command, use the aaa
accounting command. Accounting is provided for all services, or it
can be limited to one or more services. The user accounting services keep a
record of which network services a user has accessed. These records are kept on
the designated AAA server or servers. Accounting information is sent only to
the active server in a server group unless simultaneous accounting is enabled.
The aaa accounting command applies only to TACACS+ and
RADIUS servers.
To enable the generation of an accounting record, the
administrator identifies a traffic flow with an ACL and applies the ACL to the
aaa accounting match command. In the example in Figure
, the ACL 110
identifies the FTP and HTTP traffic flow from any host to the WWW server at IP
address 192.168.2.10. The match acl_name option in
the aaa accounting match command instructs the PIX Security
Appliance to generate an accounting record when the action the user is trying
to perform matches the actions specified in the ACL. Therefore, any time a user
tries to access WWW server via FTP or HTTP an accounting record is generated
and sent to the accounting server NY_ACS.
When user accounting records
are configured to be kept on AAA server, traffic that is not specified by an
include statement is not processed. In the example in
Figure
,
accounting records are kept on the AAA server for all outbound connections
except for those connections originating from host 10.0.0.34.
The syntaxes for the aaa accounting command is shown in
Figure
.
Console Session Accounting
The administrator can enable the
generation of accounting records to mark the establishment and termination of
PIX Security Appliance console access with the aaa accounting
console command. In the example in Figure
, the username
and password for student1 are added to the PIX local database. Next, the
administrator configures the PIX to authenticate all Telnet access sessions
using the local database to authenticate users. Lastly, an accounting record is
generated for each Telnet session. The record is sent to the NY_ACS server.
Command Accounting
When the aaa accounting
command command is configured, each command entered by a user is
recorded and sent to the accounting server or servers. The optional
privilege specification indicates the minimum privilege
level that must be associated with a command for an accounting record to be
generated. This command applies only to TACACS+ servers. The name of the server
or server group to which this command applies must be specified. In the example
in Figure
, the
administrator configures the PIX Security Appliance to record all changes to
the configuration by users accessing the PIX with privilege level 15 and
lower.