|
|
Accounting management enables you to track individual and group use of network resources. You can then reallocate resources as needed. (Refer to the "Accounting and Billing Commands" chapter in the Security Command Reference.)
This chapter describes the following accounting tasks:
Additional tasks for measuring system resources are covered in other chapters in the Cisco IOS software configuration guides. For example, IP accounting tasks are described in the "Configuring IP" chapter in the Network Protocols Configuration Guide, Part 1.
The aaa accounting command allows you to create a record for any or all of the listed functions that this command monitors. For minimal accounting, you can use the stop-only keyword, which instructs the specified authentication system to send a stop record accounting notice at the end of the requested user process. For more accounting, you can use the start-stop keyword to send a start accounting notice at the beginning of the requested process and a stop accounting notice at the end of the process. You can further control access and accounting by using the wait-start keyword, which ensures that the TACACS+ security server receives the start notice before granting the user's process request. Accounting is tracked on the authentication server.
Before using the aaa accounting command, you must initialize AAA authentication as described in the "Configure AAA/TACACS+" section in the "Configuring Network Access Security" chapter.
To enable AAA accounting, perform the following task in global configuration mode:
| Task | Command |
|---|---|
| Enable accounting. | aaa accounting {system | network | exec | command level} {start-stop | wait-start | stop-only} tacacs+ |
When aaa accounting is activated, the Cisco IOS software issues accounting records for all users on the system, including users whose username string, because of protocol translation, is NULL. An example of this is users who come in on lines where the aaa authentication login method-list none command is applied. To prevent accounting records from being generated for sessions that do not have usernames associated with them, perform the following task in global configuration mode:
| Task | Command |
|---|---|
| Prevent accounting records from being generated for users whose username string is NULL. | aaa accounting suppress null-username |
To enable periodic interim accounting records to be sent to the accounting server, perform the following task in global configuration mode:
| Task | Command |
|---|---|
| Enable periodic interim accounting records to be sent to the accounting server. | aaa accounting update {newinfo | periodic number} |
When the aaa accounting update command is activated, the Cisco IOS software issues interim accounting records for all users on the system. If the keyword newinfo is used, interim accounting records will be sent to the accounting server every time there is new accounting information to report. An example of this would be when IPCP completes IP address negotiation with the remote peer. The interim accounting record will include the negotiated IP address used by the remote peer.
When used with the keyword periodic, interim accounting records are sent periodically as defined by the argument number. The interim accounting record contains all of the accounting information recorded for that user up to the time the interim accounting record is sent.
Both of these keywords are mutually exclusive, meaning that whichever keyword is configured last takes precedence over the previous configuration. For example, if you configure aaa accounting update periodic, and then configure aaa accounting update newinfo, all users currently logged in will continue to generate periodic interim accounting records. All new users will generate accounting records based on the newinfo algorithm.
 | Caution Using the aaa accounting update periodic command can cause heavy congestion when many users are logged in to the network. |
To obtain accounting records for actively accounted functions, perform the following task in EXEC mode:
| Task | Command |
|---|---|
| Step through all active sessions to print all the accounting records for the actively accounted functions. | show accounting |
When aaa accounting is activated, the Cisco IOS software issues accounting records for all users on the system, including users whose username string, because of protocol translation, is NULL. To prevent accounting records from being generated for users who do not have usernames associated with them, perform the following task in global configuration mode:
| Task | Command |
|---|---|
| Prevent accounting records from being generated for users whose username string is NULL. | aaa accounting suppress null-username |
In the following sample configuration, RADIUS-style authorization is used to track all usage of the following:
aaa accounting exec start-stop radius aaa accounting network start-stop radius aaa accounting system start-stop radius
The show accounting command yields the following output for the above configuration:
Active Accounted actions on tty0, User billw Priv 1 Task ID 2, EXEC Accounting record, 00:02:13 Elapsed task_id=2 service=shell Task ID 3, Connection Accounting record, 00:02:07 Elapsed task_id=3 service=connection protocol=telnet address=172.21.14.90 cmd=synth Active Accounted actions on tty1, User rubble Priv 1 Task ID 5, Network Accounting record, 00:00:52 Elapsed task_id=5 service=ppp protocol=ip address=10.0.0.98 Active Accounted actions on tty10, User bill Priv 1 Task ID 4, EXEC Accounting record, 00:00:53 Elapsed task_id=4 service=shell
|
|