Saturday, March 24, 2012

AAA - Authentication, Authorizatio, and Accounting

Introduction

Access control is the way to control who is allowed to access to the network devices, and what services are allowed to use once a user has been granted access (authenticated).

Authentication, Authorization, and Accounting (AAA) is the standard and common network access control security framework that has been widely implemented in Cisco networks.

Below briefly describes the functions and roles for each AAA service:
Authentication Validates the identity of a user using login and password prompting.
Authorization Grants certain access privileges or rights to the services requested by the authenticated user.
Accounting Provides auditing and logging functions to the security model. Tracks user access (eg: when, from where, what services have been accessed, what actions have been performed, what commands have been executed, when the command has been executed, how long the access has been lasted) in the network. Accounting records can be sent either to a remote AAA or Syslog server, and can be imported into a spreadsheet program for viewing.

Sample AAA-Based Secure Network Access Setup

Below lists some acronyms for the main elements in AAA-based network access environment:
NAS Network Access Server. Act as a AAA client.
RADIUS Remote Authentication Dial-in User Service.
TACACS+ Terminal Access Controller Access Control System Plus.


General AAA Configuration

Below shows the sample general AAA configuration:
Router#conf t
Router(config)#ip tacacs source-interface Loopback0
Router(config)#tacacs-server host 10.10.10.10
Router(config)#tacacs-server key abc123
Router(config)#tacacs-server directed-request
Router(config)#aaa new-model
Router(config)#aaa session-id common
Router(config)#

The ip tacacs source-interface {type num} global configuration command specifies the IP address of an interface as the source address of the packets sent to the TACACS+ server. This ensures devices such as routers, which normally have many interfaces and IP addresses, use a specified IP address for all communications with the TACACS+ server. Additionally, the TACACS+ server uses an IP address to identify a particular device (or NAS).
Note: Normally loopback interface addresses (eg: Loopback0) would be used for routers and management interface addresses (eg: VLAN1) would be used for switches.

The tacacs-server host {ip-addr} global configuration command specifies a TACACS+ server. The tacacs-server key {key} global configuration command specifies the shared secret encryption key used for all communications between the NAS and the TACACS+ server.
Note: Multiple TACACS+ servers can also be implemented by defining a server group. However, this topic is out of the scope of this document.

The tacacs-server directed-request global configuration command configures a NAS to send only the username to a specified TACACS+ server, while the no-truncate option or the no form of this command will configure a NAS to send the whole string (both the username and hostname) to the default TACACS+ server. The directed-request mode is the default operation mode.

Example: username = root, hostname = 10.10.10.11.
TACACS+ Servers: 10.10.10.10 (default), 10.10.10.11.
root@10.10.10.11 is entered as username upon the login prompt of a NAS.
With directed-request mode, the root will be sent as the username to 10.10.10.11.
With no truncate mode, root@10.10.10.11 will be sent as the username to 10.10.10.10.

Below shows the AAA Authentication debugging messages when root@10.10.10.10 is entered as username upon the login prompt of the NAS with the directed-request mode:
Router#debug aaa authentication
AAA Authentication debugging is on
Router#
00:05:13: AAA/AUTHEN/START (xxx): port='tty1' list='ssh_telnet' action=LOGIN service=LOGIN
00:05:13: AAA/AUTHEN/START (xxx): found list ssh_telnet
00:05:13: AAA/AUTHEN/START (xxx): Method=tacacs+ (tacacs+)
00:05:13: AAA/AUTHEN (xxx): status = GETUSER
00:05:18: AAA/AUTHEN/CONT (xxx): continue_login (user='(undef)')
00:05:18: AAA/AUTHEN (xxx): status = GETUSER
00:05:18: AAA/AUTHEN (xxx): Method=tacacs+ (tacacs+)
00:05:18: TAC+: send abort reason=Switching to directed server @ 10.10.10.10
00:05:18: AAA/AUTHEN (xxx): status = GETPASS
00:05:20: AAA/AUTHEN/CONT (xxx): continue_login (user='root')
00:05:20: AAA/AUTHEN (xxx): status = GETPASS
00:05:20: AAA/AUTHEN (xxx): Method=tacacs+ (tacacs+)
00:05:21: AAA/AUTHEN (xxx): status = PASS
Router#

Below shows AAA Authentication debugging messages when root@10.10.10.10 is entered as username upon the login prompt of the NAS with the no-truncate mode. The authentication process failed because there is no such username – root@10.10.10.10 configured in the 10.10.10.10 TACACS+ server.
Router#
00:08:48: AAA/AUTHEN/START (xxx): port='tty1' list='ssh_telnet' action=LOGIN service=LOGIN
00:08:48: AAA/AUTHEN/START (xxx): found list ssh_telnet
00:08:48: AAA/AUTHEN/START (xxx): Method=tacacs+ (tacacs+)
00:08:48: AAA/AUTHEN (xxx): status = GETUSER
00:08:53: AAA/AUTHEN/CONT (xxx): continue_login (user='(undef)')
00:08:53: AAA/AUTHEN (xxx): status = GETUSER
00:08:53: AAA/AUTHEN (xxx): Method=tacacs+ (tacacs+)
00:08:53: TAC+: send abort reason=Switching to directed server @ 10.10.10.10
00:08:53: AAA/AUTHEN (xxx): status = GETPASS
00:08:55: AAA/AUTHEN/CONT (xxx): continue_login (user='root@10.10.10.10')
00:08:55: AAA/AUTHEN (xxx): status = GETPASS
00:08:55: AAA/AUTHEN (xxx): Method=tacacs+ (tacacs+)
00:08:55: AAA/AUTHEN (xxx): status = FAIL
Router#

The aaa new-model global configuration command is used to enable and initialize the AAA access control service.

The aaa session-id {common | unique} global configuration command specifies whether the same or different session ID will be used for each AAA accounting service type. AAA supports 6 types of accounting – EXEC, Connection, Network, Command, System, and Resource. The common is the default mode.
Note: This command is only available for Cisco IOS Release 12.2 and later. Most workgroup and access layer switches (eg: Catalyst 3550, Catalyst 2950) do not support this command.

Below shows the output of the show aaa sessions and show aaa user all EXEC commands with the aaa session-id common in effect. It shows the same session ID was used for both the EXEC and NET AAA accounting service types.
Router>sh aaa sessions
Total sessions since last reload: 1
Session Id: 110
   Unique Id: 220
   User Name: root
   IP Address: 10.10.10.2
   Idle Time: 0
   CT Call Handle: 0
Router>
Router>sh aaa user all
--------------------------------------------------
Unique id 220 is currently in use.
Accounting:
  update method(s) :
    NEWINFO
  update interval = 0
  Outstanding Stop Records : 0
  EXEC: Username=root
    Session Id=0000006E Unique Id=000000DC
    Start Sent=1 Stop Only=N
    stop_has_been_sent=N
    Method List=640691B4 : Name = default
    Attribute list:
    xxxxxxxx 0 00000001 session-id(294) 4 110(6E)
    xxxxxxxx 0 00000001 start_time(299) 4 Mar 1 1993 00:10:49
  No data for type CONN
  NET: Username=(n/a)
    Session Id=0000006E Unique Id=000000DC
    Start Sent=0 Stop Only=N
    stop_has_been_sent=N
    Method List=0
    Attribute list:
    xxxxxxxx 0 00000001 session-id(294) 4 110(6E)
    xxxxxxxx 0 00000001 start_time(299) 4 Mar 1 1993 00:10:47
  No data for type CMD
  No data for type SYSTEM
  No data for type RM CALL
  No data for type RM VPDN
  No data for type AUTH PROXY
  No data for type IPSEC-TUNNEL
  No data for type RESOURCE
  No data for type 10
  No data for type CALL
--- output omitted ---

Below shows the output of the show aaa sessions and show aaa user all EXEC commands with the aaa session-id unique in effect. It shows the different session ID was used for the EXEC and NET AAA accounting service types.
Router>sh aaa sessions
Total sessions since last reload: 3
Session Id: 112
   Unique Id: 221
   User Name: root
   IP Address: 10.10.10.2
   Idle Time: 0
   CT Call Handle: 0
Session Id: 114
   Unique Id: 221
   User Name: root
   IP Address: 10.10.10.2
   Idle Time: 0
   CT Call Handle: 0
Router>
Router>sh aaa user all
--------------------------------------------------
Unique id 220 is currently in use.
Accounting:
  update method(s) :
    NEWINFO
  update interval = 0
  Outstanding Stop Records : 0
  EXEC: Username=root
    Session Id=00000070 Unique Id=000000DD
    Start Sent=1 Stop Only=N
    stop_has_been_sent=N
    Method List=640691B4 : Name = default
    Attribute list:
    xxxxxxxx 0 00000001 session-id(294) 4 112(70)
    xxxxxxxx 0 00000001 start_time(299) 4 Mar 1 1993 00:11:37
  No data for type CONN
  NET: Username=(n/a)
    Session Id=00000072 Unique Id=000000DD
    Start Sent=0 Stop Only=N
    stop_has_been_sent=N
    Method List=0
    Attribute list:
    xxxxxxxx 0 00000001 session-id(294) 4 114(72)
    xxxxxxxx 0 00000001 start_time(299) 4 Mar 1 1993 00:11:35
  No data for type CMD
  No data for type SYSTEM
  No data for type RM CALL
  No data for type RM VPDN
  No data for type AUTH PROXY
  No data for type IPSEC-TUNNEL
  No data for type RESOURCE
  No data for type 10
  No data for type CALL
--- output omitted ---


Authentication Configuration

Below shows the sample AAA Authentication configuration:
Router(config)#username root secret abc123
Router(config)#aaa authentication login local_console local
Router(config)#aaa authentication login ssh_telnet group tacacs+ local
Router(config)#line con 0
Router(config-line)#login authentication local_console
Router(config-line)#exit
Router(config)#line vty 0 4
Router(config-line)#login authentication ssh_telnet
Router(config-line)#exit
Router(config)#

The aaa authentication login {default | method-list-name} {method1} [method2…] global configuration command creates authentication method lists that define the authentication methods used to authenticate a user. An authentication method list is used in conjunction with the login authentication {method-list-name} line subcommand.

The configuration above first creates an authentication method list named local_console, which uses the local username database as the only authentication method. The authentication method list is then applied on the console (con 0) with the login authentication {method-list-name} line subcommand.

The configuration above then creates another authentication method list named ssh_telnet, which uses the TACACS+ server group as the 1st method for user authentication. The local username database is used as the backup method in case all TACACS+ servers in the server group are unavailable. The authentication method list is then applied on the Telnet / SSH virtual terminals (vty 0 4) with the login authentication {method-list-name} line subcommand.

Below shows the AAA Authentication debugging messages for the Console access to the NAS. The user root is granted access to the NAS via the console.
Router#debug aaa authentication
AAA Authentication debugging is on
Router#
00:15:31: AAA/AUTHEN/START (xxx): port='tty0' list='local_console' action=LOGIN service=LOGIN
00:15:31: AAA/AUTHEN/START (xxx): found list local_console
00:15:31: AAA/AUTHEN/START (xxx): Method=LOCAL
00:15:31: AAA/AUTHEN (xxx): status = GETUSER
00:15:32: AAA/AUTHEN/CONT (xxx): continue_login (user='(undef)')
00:15:32: AAA/AUTHEN (xxx): status = GETUSER
00:15:32: AAA/AUTHEN/CONT (xxx): Method=LOCAL
00:15:32: AAA/AUTHEN (xxx): status = GETPASS
00:15:34: AAA/AUTHEN/CONT (xxx): continue_login (user='root')
00:15:34: AAA/AUTHEN (xxx): status = GETPASS
00:15:34: AAA/AUTHEN/CONT (xxx): Method=LOCAL
00:15:34: AAA/AUTHEN (xxx): status = PASS
Router#

The local username database can be configured with the username {username} {password | secret} {password} global configuration command. Below shows the AAA Authentication debugging messages for the console access to the NAS with an unknown user:
Router#
00:18:34: AAA/AUTHEN/START (xxx): port='tty0' list='local_console' action=LOGIN service=LOGIN
00:18:34: AAA/AUTHEN/START (xxx): found list local_console
00:18:34: AAA/AUTHEN/START (xxx): Method=LOCAL
00:18:34: AAA/AUTHEN (xxx): status = GETUSER
00:18:40: AAA/AUTHEN/CONT (xxx): continue_login (user='(undef)')
00:18:40: AAA/AUTHEN (xxx): status = GETUSER
00:18:40: AAA/AUTHEN/CONT (xxx): Method=LOCAL
00:18:40: AAA/AUTHEN (xxx): status = GETPASS
00:18:42: AAA/AUTHEN/CONT (xxx): continue_login (user='admin')
00:18:42: AAA/AUTHEN (xxx): status = GETPASS
00:18:42: AAA/AUTHEN/CONT (xxx): Method=LOCAL
00:18:42: AAA/AUTHEN (xxx): User not found
00:18:42: AAA/AUTHEN (xxx): status = FAIL
Router#

Below shows the AAA Authentication debugging messages for the Telnet / SSH access to the NAS when the TACACS+ server is available:
Router#
00:20:08: AAA/AUTHEN/START (xxx): port='tty1' list='ssh_telnet' action=LOGIN service=LOGIN
00:20:08: AAA/AUTHEN/START (xxx): found list ssh_telnet
00:20:08: AAA/AUTHEN/START (xxx): Method=tacacs+ (tacacs+)
00:20:08: AAA/AUTHEN (xxx): status = GETUSER
00:20:10: AAA/AUTHEN/CONT (xxx): continue_login (user='(undef)')
00:20:10: AAA/AUTHEN (xxx): status = GETUSER
00:20:10: AAA/AUTHEN (xxx): Method=tacacs+ (tacacs+)
00:20:10: AAA/AUTHEN (xxx): status = GETPASS
00:20:11: AAA/AUTHEN/CONT (xxx): continue_login (user='root')
00:20:11: AAA/AUTHEN (xxx): status = GETPASS
00:20:11: AAA/AUTHEN (xxx): Method=tacacs+ (tacacs+)
00:20:11: AAA/AUTHEN (xxx): status = PASS
Router#

Below shows the AAA Authentication debugging messages for the Telnet / SSH access to the NAS when the TACACS+ server is unavailable. An ERROR response is first received from the TACACS+ server. The NAS then tried the LOCAL authentication method.
00:20:52: AAA/AUTHEN/START (xxx): port='tty1' list='ssh_telnet' action=LOGIN service=LOGIN
00:20:52: AAA/AUTHEN/START (xxx): found list ssh_telnet
00:20:52: AAA/AUTHEN/START (xxx): Method=tacacs+ (tacacs+)
00:20:57: AAA/AUTHEN (xxx): status = ERROR
00:20:57: AAA/AUTHEN/START (xxx): Method=LOCAL
00:20:57: AAA/AUTHEN (xxx): status = GETUSER
00:21:02: AAA/AUTHEN/CONT (xxx): continue_login (user='(undef)')
00:21:02: AAA/AUTHEN (xxx): status = GETUSER
00:21:02: AAA/AUTHEN/CONT (xxx): Method=LOCAL
00:21:02: AAA/AUTHEN (xxx): status = GETPASS
00:21:04: AAA/AUTHEN/CONT (xxx): continue_login (user='root')
00:21:04: AAA/AUTHEN (xxx): status = GETPASS
00:21:04: AAA/AUTHEN/CONT (xxx): Method=LOCAL
00:21:04: AAA/AUTHEN (xxx): status = PASS


Authorization Configuration

Below shows the sample AAA Authorization configuration:
Router(config)#aaa authorization exec default group tacacs+ local
Router(config)#aaa authorization commands 15 ssh_telnet group tacacs+ none
Router(config)#aaa authorization config-commands
Router(config)#line vty 0 4
Router(config-line)#authorization commands 15 ssh_telnet
Router(config-line)#exit
Router(config)#

The aaa authorization exec {default | method-list-name} {method1} [method2…] creates authorization method lists that determine whether an authenticated user will be granted an EXEC shell.

The configuration above modifies the default EXEC authorization method list named default, which uses the TACACS+ server group as the 1st method, and the local database is used as the backup method in case all TACACS+ servers in the server group are unavailable.

Below shows the AAA Authorization debugging messages for the Telnet / SSH access to the NAS when the TACACS+ server is available. An EXEC shell is granted to the user.
Router#debug aaa authorization
AAA Authorization debugging is on
Router#
00:24:19: tty1 AAA/AUTHOR/EXEC (xxx): Port='tty1' list='' service=EXEC
00:24:19: AAA/AUTHOR/EXEC: tty1 (xxx) user='root'
00:24:19: tty1 AAA/AUTHOR/EXEC (xxx): send AV service=shell
00:24:19: tty1 AAA/AUTHOR/EXEC (xxx): send AV cmd*
00:24:19: tty1 AAA/AUTHOR/EXEC (xxx): found list "default"
00:24:19: tty1 AAA/AUTHOR/EXEC (xxx): Method=tacacs+ (tacacs+)
00:24:19: AAA/AUTHOR/TAC+: (xxx): user=root
00:24:19: AAA/AUTHOR/TAC+: (xxx): send AV service=shell
00:24:19: AAA/AUTHOR/TAC+: (xxx): send AV cmd*
00:24:20: AAA/AUTHOR (xxx): Post authorization status = PASS_ADD
00:24:20: AAA/AUTHOR/EXEC: Authorization successful
Router#

EXEC shell authorization can be configured in a user group or an individual user basis. User authorization overrides group authorization.

The aaa authorization commands {privilege-level} {default | method-list-name} {method1} [method2…] global configuration command creates authorization method lists that determine whether to run authorization for all commands at the specified privilege level.

The aaa authorization commands 15 ssh_telnet group tacacs+ none global configuration command creates an authorization method list named ssh_telnet, which uses the TACACS+ server group as the 1st authorization method to authorize all privilege level 15 commands (eg: show running-config, configure terminal). The none method, which means no authorization is performed, is used as the backup method in case all TACACS+ servers in the server group are unavailable.

The ssh_telnet command authorization method list is then applied on the Telnet / SSH virtual terminals (vty 0 4) with the authorization commands {privilege-level} {method-list-name} line subcommand.

Below shows the AAA Authorization debugging messages when issuing the show running-config command (a privilege level 15 command) in the NAS when the TACACS+ server is available. The user root is authorized to execute the command.
Router#
00:30:19: tty1 AAA/AUTHOR/CMD (xxx): Port='tty1' list='ssh_telnet' service=CMD
00:30:19: AAA/AUTHOR/CMD: tty1 (xxx) user='root'
00:30:19: tty1 AAA/AUTHOR/CMD (xxx): send AV service=shell
00:30:19: tty1 AAA/AUTHOR/CMD (xxx): send AV cmd=show
00:30:19: tty1 AAA/AUTHOR/CMD (xxx): send AV cmd-arg=running-config
00:30:19: tty1 AAA/AUTHOR/CMD (xxx): send AV cmd-arg=
00:30:19: tty1 AAA/AUTHOR/CMD (xxx): found list "ssh_telnet"
00:30:19: tty1 AAA/AUTHOR/CMD (xxx): Method=tacacs+ (tacacs+)
00:30:19: AAA/AUTHOR (xxx): Post authorization status = PASS_ADD
Router#

Below shows the AAA Authorization debugging messages when issuing the show running-config privileged command (a privilege level 15 command) in the NAS when the TACACS+ server is unavailable. An ERROR response is first received from the TACACS+ server. The NAS then tried the NONE authorization method. Finally the command is authorized to be executed.
Router#
00:35:45: tty1 AAA/AUTHOR/CMD (xxx): Port='tty1' list='ssh_telnet' service=CMD
00:35:45: AAA/AUTHOR/CMD: tty1 (xxx) user='root'
00:35:45: tty1 AAA/AUTHOR/CMD (xxx): send AV service=shell
00:35:45: tty1 AAA/AUTHOR/CMD (xxx): send AV cmd=show
00:35:45: tty1 AAA/AUTHOR/CMD (xxx): send AV cmd-arg=running-config
00:35:45: tty1 AAA/AUTHOR/CMD (xxx): send AV cmd-arg=
00:35:45: tty1 AAA/AUTHOR/CMD (xxx): found list "ssh_telnet"
00:35:45: tty1 AAA/AUTHOR/CMD (xxx): Method=tacacs+ (tacacs+)
00:35:55: AAA/AUTHOR (xxx): Post authorization status = ERROR
00:35:55: tty1 AAA/AUTHOR/CMD (xxx): Method=NONE
00:35:55: AAA/AUTHOR (xxx): Post authorization status = PASS_ADD
Router#

Shell command authorization can be configured in a user group or an individual user basis. User authorization overrides group authorization.

The aaa authorization config-commands global configuration command enables authorization for configuration commands. Configuration command authorization is disabled by default when the aaa authorization commands global configuration command is issued.

Below shows the AAA Authorization debugging messages when the user root issues the interface FastEthernet 0/1 global configuration command without configuration command authorization in effect:
Router#
00:38:50: tty1 AAA/AUTHOR/CMD (xxx): Port='tty1' list='ssh_telnet' service=CMD
00:38:50: AAA/AUTHOR/CMD: tty1 (xxx) user='root'
00:38:50: tty1 AAA/AUTHOR/CMD (xxx): send AV service=shell
00:38:50: tty1 AAA/AUTHOR/CMD (xxx): send AV cmd=configure
00:38:50: tty1 AAA/AUTHOR/CMD (xxx): send AV cmd-arg=terminal
00:38:50: tty1 AAA/AUTHOR/CMD (xxx): send AV cmd-arg=
00:38:50: tty1 AAA/AUTHOR/CMD (xxx): found list "ssh_telnet"
00:38:50: tty1 AAA/AUTHOR/CMD (xxx): Method=tacacs+ (tacacs+)
00:38:51: AAA/AUTHOR (xxx): Post authorization status = PASS_ADD
Router#
00:38:57: AAA/AUTHOR: config command authorization not enabled
Router#

Below shows the AAA Authorization debugging messages when the user root issues the interface FastEthernet 0/1 global configuration command with configuration command authorization in effect:
Router#
00:42:38: tty1 AAA/AUTHOR/CMD (xxx): Port='tty1' list='ssh_telnet' service=CMD
00:42:38: AAA/AUTHOR/CMD: tty1 (xxx) user='root'
00:42:38: tty1 AAA/AUTHOR/CMD (xxx): send AV service=shell
00:42:38: tty1 AAA/AUTHOR/CMD (xxx): send AV cmd=interface
00:42:38: tty1 AAA/AUTHOR/CMD (xxx): send AV cmd-arg=FastEthernet
00:42:38: tty1 AAA/AUTHOR/CMD (xxx): send AV cmd-arg=0
00:42:38: tty1 AAA/AUTHOR/CMD (xxx): send AV cmd-arg=1
00:42:38: tty1 AAA/AUTHOR/CMD (xxx): send AV cmd-arg=
00:42:38: tty1 AAA/AUTHOR/CMD (xxx): found list "ssh_telnet"
00:42:38: tty1 AAA/AUTHOR/CMD (xxx): Method=tacacs+ (tacacs+)
00:42:38: AAA/AUTHOR (xxx): Post authorization status = PASS_ADD
Router#


Accounting Configuration

Below shows the sample AAA Accounting configuration:
Router(config)#aaa accounting update newinfo
Router(config)#aaa accounting exec default start-stop group tacacs+
Router(config)#aaa accounting system default start-stop group tacacs+
Router(config)#aaa accounting commands 15 default start-stop group tacacs+

The aaa accounting update newinfo global configuration command configures a NAS to send accounting records to the TACACS+ server whenever there is new accounting information to report. Additionally, another version of the command – aaa accounting update periodic {min}, configure a NAS to generate periodic accounting records continuously during active sessions, which can cause heavy congestion if many users are logged into the network.

The aaa accounting exec default start-stop group tacacs+ global configuration command configures a NAS to run accounting for both the start and stop of all the EXEC shell sessions in the NAS. The accounting records can be viewed via the TACACS+ Accounting Report.

Below shows the AAA Accounting debugging messages when the user root starts (after being authenticated) and stops an EXEC shell session.
Router#debug aaa accounting
00:50:14: AAA/ACCT/EXEC/START User root, port tty1
00:50:14: AAA/ACCT/EXEC: Found list "default"
00:50:14: AAA/ACCT/EXEC/START User root, Port tty1,
         task_id=x timezone=MY service=shell
00:50:14: AAA/ACCT: user root, acct type 0 (xxx): Method=tacacs+ (tacacs+)
00:50:14: TAC+: (xxx): received acct response status = SUCCESS
00:50:30: AAA/ACCT/EXEC/STOP User root, Port tty1:
         task_id=x timezone=MY service=shell disc-cause=1 disc-cause-ext=xxx 
         elapsed_time=xx nas-rx-speed=0 nas-tx-speed=0
00:50:30: AAA/ACCT: user root, acct type 0 (xxx): Method=tacacs+ (tacacs+)
00:50:30: TAC+: (xxx): received acct response status = SUCCESS
Router#

The aaa accounting system default start-stop group tacacs+ global configuration command enables accounting for all system-level events not associated with users, eg: system reboots. Below shows the AAA Accounting debugging messages when the router is reloaded. The reload event record can be viewed via both the TACACS+ Accounting Report and TACACS+ Administration Report in the Cisco Secure ACS server.
Router#reload
Proceed with reload? [confirm]

00:55:21: %SYS-5-RELOAD: Reload requested
00:55:21: AAA/ACCT/unknown: task_id=x timezone=MY service=system 
          event=sys_acct reason=shutdown
00:55:21: AAA/ACCT: user , acct type 4 (xxx): Method=tacacs+ (tacacs+)
00:55:21: TAC+: (xxx): received acct response status = SUCCESS

The aaa accounting commands {privilege-level} {default | method-list-name} {start-stop | stop-only | none} group {radius | tacacs+ | server-group-name} global configuration command creates accounting method lists that determine whether to run accounting for all commands at the specified privilege level.
Below describes all the accounting notice methods:


Method

Description
start-stop Provides maximum accounting services. Sends a “start” and a “stop” accounting notice at both the beginning and the end of the requested process respectively.
stop-only Provides minimal accounting services. Only sends a “stop” accounting notice at the end of the requested process.
none Disables accounting services.

The aaa accounting commands 15 default start-stop group tacacs+ global configuration command configures the NAS to run accounting for all privilege level 15 commands (eg: show running-config, configure terminal) and send the accounting records to the TACACS+ server.

Below shows the AAA Accounting debugging messages when the user root issues the show running-config privileged command (a privilege level 15 command) in the NAS:
Router#
00:05:02: AAA/ACCT/CMD: User root, Port tty1, Priv 15:
         "show running-config "
00:05:02: AAA/ACCT/CMD: Found list "default"
00:05:03: AAA/ACCT: user root, acct type 3 (xxx): Method=tacacs+ (tacacs+)
00:05:04: TAC+: (xxx): received acct response status = SUCCESS
Router#

1 comment: