Command:

aaa accounting


Mode:

Router(config)#


Syntax:

aaa accounting {system | network | exec | connection | commands level | nested | suppress | update} {default | list-name} {start-stop | wait-start | stop-only | none} method1 [method2...]

no aaa accounting {system | network | exec | connection | commands level | nested | suppress | update}

 

Syntax Description:

system

Performs accounting for all system-level events not associated with users, such as reloads.

network

Runs accounting for all network-related service requests, including SLIP, PPP, PPP NCPs, and ARAP.

exec

To create a method list to provide accounting records about user EXEC terminal sessions on the network access server, including username, date, start, and stop times, use the exec keyword.

connection

Provides information about all outbound connections made from the network access server (NAS), such as Telnet, local-area transport (LAT), TN3270, packet assembler/disassembler (PAD), and rlogin.

commands

Runs accounting for all commands at the specified privilege level.

level

Specific command level to track for accounting. Valid entries are 0 through 15.

default

Uses the listed accounting methods that follow this argument as the default list of methods for accounting services.

list-name

Character string used to name the list of accounting methods.

start-stop

Sends a start accounting notice at the beginning of a process and a stop accounting notice at the end of a process. The start accounting record is sent in the background. The requested user process begins regardless of whether or not the start accounting notice was received by the accounting server.

wait-start

As in start-stop, sends both a start and a stop accounting notice to the accounting server. However, if the wait-start keyword is used, the requested user service does not begin until the start accounting notice is acknowledged. A stop accounting notice is also sent.

stop-only

Sends a stop accounting notice at the end of the requested user process.

none

Disables accounting services on this line or interface.

resource

Provides start and stop records for calls that have passed user authentication, and provides stop records for calls that fail to authenticate

nested

Provides accounting when starting PPP from EXEC, generate NETWORK records before EXEC-STOP record.

update

Enables periodic interim accounting records to be sent to the accounting server.

method1 [method2...]

At least one of the keywords described in the table below.

 

Command Description:

 

To enable AAA accounting of requested services for billing or security purposes when using RADIUS or TACACS+, use the aaa accounting global configuration command. Use the no form of this command to disable accounting.

This command first appeared in Cisco IOS Release 10.3.

Use the aaa accounting command to enable accounting and to create named method lists defining specific accounting methods on a per-line or per-interface basis. Method keywords are described in the table.

 Table: AAA Accounting Methods

Keyword Description

group radius

Uses the list of all RADIUS servers to provide accounting services

group tacacs+

Uses the list of all TACACS+ servers to provide accounting services.

group | group-name

Uses a subset of RADIUS or TACACS+ servers for accounting as defined by the server group group-name.

Cisco IOS software supports the following two methods for accounting:

 

 

Method lists for accounting define the way accounting will be performed. Named accounting method lists enables the option to designate a particular security protocol to be used on specific lines or interfaces for particular types of accounting services.  Create a list by entering the list-name and the method, where list-name is any character string used to name this list (excluding the names of methods, such as radius or tacacs+) and method identifies the method(s) tried in the given sequence.

Named accounting method lists are specific to the indicated type of accounting. To create a method list to provide accounting information for ARAP (network) sessions, use the arap keyword. To create a method list to provide accounting records about user EXEC terminal sessions on the network access server, including username, date, start and stop times, use the exec keyword. To create a method list to provide accounting information about specific, individual EXEC commands associated with a specific privilege level, use the commands keyword. To create a method list to provide accounting information about all outbound connections made from the network access server, use the connection keyword. 


Note System accounting does not use named accounting lists; only the default list for system accounting can be defined.


For minimal accounting, include the stop-only keyword to send a stop record accounting notice at the end of the requested user process. For more accounting, include the start-stop keyword, so that RADIUS or TACACS+ sends a start accounting notice at the beginning of the requested process and a stop accounting notice at the end of the process. For even more accounting control, include the wait-start keyword, which ensures that the start notice is received by the RADIUS or TACACS+ server before granting the user's process request. Accounting is stored only on the RADIUS or TACACS+ server. The none keyword disables accounting services for the specified line or interface.

When aaa accounting is activated, the network access server monitors either RADIUS accounting attributes or TACACS+ AV pairs pertinent to the connection, depending on the security method implemented.  The network access server reports these attributes as accounting records, which are then stored in an accounting log on the security server. For a list of supported RADIUS accounting attributes, refer to the "RADIUS Attributes" appendix in the Security Configuration Guide. For a list of supported TACACS+ accounting AV pairs, refer to the "TACACS+ Attribute-Value Pairs" appendix in the Security Configuration Guide.


Example:

In the following example, a default commands accounting method list is defined, where commands accounting services are provided by a TACACS+ security server, set for privilege level 15 commands with a stop-only restriction.

 

Router(config)#aaa accounting commands 15 default stop-only group tacacs+


Misconceptions:

 

This command can be used with TACACS or extended TACACS.


Related Commands:

 

aaa authorization

 

aaa new-model

 


� Cisco Systems, Inc. 2001, 2002, 2003
World Wide Education

Converted from CHM to HTML with chm2web Pro 2.85 (unicode)