|
|
Accounting is the third major function, after authentication and authorization, in a security system. Accounting can be used by network administrators to bill departments or customers for connection time. Accounting also enables administrators to track suspicious connection attempts into the network.
This chapter contains information about the CiscoSecure Access Control Server (ACS) software accounting database file and how to enable accounting using the software.
The following section are included:
The TACACS+ and RADIUS protocols provide accounting information that includes start and stop times, login duration, and network resources used; however, each protocol provides this information in a different manner. With TACACS+, the accounting data is stored in RDBMS tables through the database server (TCP) to insure a more secure and complete accounting log. With RADIUS, this information can also be stored in a file. Both TACACS+ and RADIUS attribute information can be displayed from the CiscoSecure User Administration GUI as explained in the chapter "Managing User Authentication and Authorization."
For more information on how the accounting database is set up, refer to the appendix "CiscoSecure ACS Database Structure."
To use the CiscoSecure ACS accounting feature, accounting must be enabled on the network access server (NAS). Confirm that the following two lines reside in the NAS configuration file:
aaa accounting exec start-stop tacacs+ aaa accounting network start-stop tacacs+
This tells the NAS to generate data and place it in a file specified by the configuration file. This data can then be exported from the specified text file and formatted according to user specifications using one of three database programs: Sybase, SQLAnywhere, or ORACLE.
This section presents accounting information that applies only if you are using the TACACS+ protocol.
For the TACACS+ protocol, all accounting data is stored in the relational database management system (RDBMS). From the RDBMS tables, you can run a special tool (described in the section "Extracting Key Accounting Data" later in this chapter) to export the accounting data to an ASCII file.
 | Caution When you specify any kind of accounting, the database will log every transaction. Depending on the number of transactions and the size of your database, the log file can expand and very quickly fill up your disk. For details, see the sections "Extracting Key Accounting Data" and "Displaying Group Membership for Accounting" later in this chapter. |
View the database log file with either a common text editor or through a database program such as ORACLE. An accounting record for TACACS+ is structured like the following example:
char nas_name[] /* NAS name */ char user_name[] /* username */ char port_name[] /* port the connection is on */ char remote_address[] /* where the user connected from */ char record_type[] /* (start, update, stop etc) */ char server[] /* hostname of the server, as an AV pair */ char time[] /* time of this record, as an AV pair */ char date[] /* date of this record, as an AV pair */ char attribute_value_pairs[] /* there are an arbitrary number of these */ char account_member_fn server attribute user's group membership
Use this log file to view the current operation of the accounting log. All entries placed in the accounting database are recorded here.
Each accounting record is terminated by the newline character (\n); record lengths are not fixed. All numeric values in attribute_value_pair strings are sent and recorded as decimal ASCII numbers. The accounting record file consists of a sequence of such records, written to stable storage on a periodic, configurable basis.
The following is sample output of the accounting system (with each line wrapped to fit onto the page):
nas4700 cons tty0 async start server=TheNet time=15:20:19 date=01/24/97 task_id=7 service=shell nas2509 evo1 tty1 async start server=TheNet time=16:16:18 date=01/24/97 task_id=12 service=shell nas2509 evo1 tty1 async start server=TheNet time=16:16:39 date=01/24/97 task_id=13 addr=200.200.200.198 service=ppp nas2509 evo1 tty1 async update server=TheNet time=16:16:41 date=01/24/97 task_id=13 addr=200.200.200.198 service=ppp protocol=ip addr=200.200.200.198
Before each write operation, the CiscoSecure ACS software checks the accounting file to see if its filename has changed and, if it has, the existing accounting file is closed and a new copy of the file is opened. This prevents any loss of data when you are archiving accounting data while the CiscoSecure ACS software is running.
This section presents accounting information that applies if you are using the RADIUS protocol.
The following examples show typical RADIUS accounting packets. The RADIUS server must be configured to record accounting packets to the RDBMS in order for the raw RADIUS accounting packet to follow this accounting structure. You can configure the RDBMS using the web-based interface. See the chapter "Managing User Authentication and Authorization" for more instructions.
The following is a typical example of a start packet for RADIUS:
Max1 ascchap 10119 5553025 start server=sand time=10:43:06 date=04/08/97 task_id=228932705 Tue Apr 8 11:43:06 1997 User-Name = "ascchap" NAS-Identifier = 200.200.200.179 NAS-Port = 10119 Acct-Status-Type = Start Acct-Delay-Time = 0 Acct-Session-Id = "228932705" Acct-Authentic = RADIUS Caller-Id = "5553025" Client-Port-DNIS = "7149991111" Framed-Protocol = PPP Framed-Address = 100.100.100.100
The following is a typical example of a stop packet for RADIUS:
Max1 ascchap 10119 5553025 stop server=sand time=10:43:16 date=04/08/97 task_id=228932705 Tue Apr 8 11:43:16 1997 User-Name = "ascchap" NAS-Identifier = 200.200.200.179 NAS-Port = 10119 Acct-Status-Type = Stop Acct-Delay-Time = 0 Acct-Session-Id = "228932705" Acct-Authentic = RADIUS Acct-Session-Time = 10 Acct-Input-Octets = 182 Acct-Output-Octets = 231 Acct-Input-Packets = 10 Acct-Output-Packets = 11 Ascend-Disconnect-Cause = 185 Ascend-Connect-Progress = 60 Ascend-Data-Rate = 64000 Ascend-PreSession-Time = 1 Ascend-Pre-Input-Octets = 182 Ascend-Pre-Output-Octets = 231 Ascend-Pre-Input-Packets = 10 Ascend-Pre-Output-Packets = 11 Ascend-Multilink-ID = 30 Ascend-Num-In-Multilink = 0 Caller-Id = "5553025" Client-Port-DNIS = "7149991111" Framed-Protocol = PPP Framed-Address = 100.100.100.100
These packets can be viewed from a text editor and provide the current status (including password attributes and user values) of the user or group sending the data.
Most RADIUS attribute-value pairs have equivalents in TACACS+, but they differ slightly. For example, the TACACS+ attribute event_id is equivalent to the RADIUS attribute acctg-session-id. See the appendix "RADIUS Attribute-Value Pairs and Dictionary Management" for more information, including a table comparing RADIUS and TACACS+ attributes.
To help you prepare financial records, the CiscoSecure ACS provides a special tool called AcctExport that exports raw accounting data from the RDBMS table into an external file. The AcctExport is especially helpful if you were using CiscoSecure ACS 1.x and have a system to output accounting data to a specified file for later processing.
The information in this section applies to both TACACS+ and RADIUS.
To run the AcctExport tool:
Step 1 Change directories as follows:
cd $BASEDIR/utils/bin
$BASEDIR refers to your CiscoSecure ACS install directory.
Step 2 Run AcctExport as follows:
./AcctExport filename [no_truncate | clean]This command outputs all of your accounting data into the specified filename. If the file already exists, then its contents will be overwritten.
The filename is required and refers to the path name of the target file. When there is no option other than filename, AcctExport will export all accounting records, except the start records for the active sessions, to the file then remove the records from the accounting tables. It is not required that CiscoSecure be off-line for this.
The no_truncate option directs the tool to behave in the manner as the default option except no records from the tables will be removed. If the clean option is specified, the tool exports all the accounting records present in the tables (regardless of active or non-active sessions) to the external file and deletes them from the tables. It will also reset the sequence numbers used for accounting records by the CiscoSecure DBServer. The sequence numbers are used to identify each accounting record and user sessions. These numbers are in the range from 1 to 2,147,483,647. The current sequence numbers can be obtained from the cs_id table. When using this option, make sure either CiscoSecure is off-line or the accounting is turned off.
Accounting tables will not be emptied completely if default option is used and there are active sessions.
If you selected an option other than none or file from the Servers page of the web-based interface (as described in the section "Configuring ACS Profiles to Support RADIUS"), the CiscoSecure ACS software can add a field to each accounting record that will indicate the immediate group membership of the corresponding user. In this way, accounting organizations can easily know whether to adjust billing information according to the user's group association.
The ability to display group membership for billing and accounting is achieved by enabling the accounting feature on the NAS and by enabling the accounting member attribute in the CiscoSecure ACS web-based interface, as follows:
Step 1 Go to this file:
Step 2 Open it with a text editor. Once in this file, go to this section:
Step 3 Change the first line from:
to:
Step 4 Change the second line from:
to:
Step 5 Restart the ACS server.
Step 6 From the CiscoSecure ACS web-based interface, select a group from the browser window.
Step 7 Select the Profile window.
Step 8 In the Options menu, select Accounting Member.
Step 9 Click Apply.
Step 10 Select the Accounting Member icon in the upper part of the Profile window. accounting_fn appears in the accounting field.
Step 11 Click Apply.
|
|