What is best practices for what to enable for AAA Accounting and how do I monitor it?
thanks
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
ok cool. Could you give me a hand on this? We have RAS users authenticate to an external radius server.
I also have another firewall (just for network admins) that authenticate to the local database. I'm guessing this is what I should be watching. What commands they issue etc.
Is it possible to capture this in the buffer or can I log it to ACS
Cisco's case studies provide decent info on the RAS config, With firewall equipment (like the ASA) it's often good enough to setup a remote syslog server using "logging host" &c, and just check if the logging is detailed enough for your needs.
But since you're using ACS, logging every command should indeed be an option on the Firewall.
Cisco Security Configuration Guide here: http://www.cisco.com/en/US
And some decent examples and details are here:
http://www.cisco.com/en/US
http://www.cisco.com/en/US
http://wiki.freeradius.org
The relevant commands are:
aaa accounting network default start-stop group radius
For your remote access servers.
You might only want to log the STOP or 'finished' for exec sessions.
But it sounds as if you already have RADIUS setup there, in that case, you shouldn't need to change anything to enable accounting, other than port number, if you're using 1646 instead of the new standard one.
aaa accounting exec default stop-only group radius
RADIUS port numbers are specified when configuring the RADIUS server i.e.
radius-server host 172.16.88.5 auth-port 1812 acct-port 1813
The reason you might ever need to set port is that UDP port:
1812 = the current standard UDP port for RADIUS auth
1813 = the current standard UDP port for RADIUS accounting
1645 = the legacy port some OLD equipment still uses for RADIUS auth
1646 = OLD port used to be for RADIUS accounting
aaa accounting network default start-stop group radius
^^^^^
This means turn on AAA accounting for 'network' services according
to the default method list using the radius group servers.
start-stop means a START accounting record will be sent when the network session, port, or connection 'opens', and a STOP accounting record is sent when the connection ends.
aaa accounting exec default stop-only group radius
^^^
'exec' refers to a user shell, i.e. they ssh'd, telnet'd, or console'd into your network device and are at a CLI prompt.
Stop-only means only STOP accounting records are sent.
As far as EXEC session accounting goes; individual commands are not logged if you use RADIUS.
You could say Cisco crippled RADIUS accounting to encourage use of their TACACS+ protocol.
When you use AAA accounting over TACACS+, you can log every command executed with 'aaa accounting exec' options.
Business Accounts
Answer for Membership
by: MysidiaPosted on 2009-05-09 at 08:02:30ID: 24344098
That depends on what services your equipment is providing.
If you are using your equipment to provide a dialup service or other setup where logins occur by non administrators, then you DEFINITELY should have full accounting over those sessions.
You want to log (at bare minimum) authentication and authorization requests and answers; if AAA is used only to provide administrative access, you don't strictly have to use AAA accounting for this, your authentication server can do that.
However, AAA logging can provide you additional information.
Generally it is also good to enable some type of logging of commands executed if possible, and sometimes this will be required for auditing and compliance purposes, or as a matter of network security policy.
And should be done unless you can get adequate information from remote syslog.
Your network is more secure if you keep records of what was done to certain equipment, and AAA accounting is a very powerful tool to use for this.
Another good idea is to use configuration management tools to periodically backup configs and check for changes.
If you want to log individual AAA commands on Cisco equipment, I would simply log everything, you will generally need to use TACACS, not RADIUS.
OTOH if you have automated processes or have users frequently logging into network equipment, you may wish to only log, or to only keep logs related to
privileged commands, or commands that effect a change of configuration.