Solved

enbaling AAA accounting

Posted on 2009-05-08
5
785 Views
Last Modified: 2012-05-06
What is best practices for what to enable for AAA Accounting and how do I monitor it?


thanks
0
Comment
Question by:dissolved
  • 3
  • 2
5 Comments
 
LVL 23

Expert Comment

by:Mysidia
ID: 24344098
That depends on what services your equipment is providing.
If you are using your equipment to provide a dialup service or other setup where logins occur by non administrators, then  you DEFINITELY should have full accounting over those sessions.

You want to log (at bare minimum) authentication and authorization requests and answers;  if AAA is used only to provide administrative access, you don't strictly have to use AAA accounting for this, your authentication server can do that.

However, AAA logging can provide you additional information.

Generally it is also good to enable some type of logging of commands executed if possible,  and sometimes this will be required for auditing and compliance purposes, or as a matter of network security policy.

And should be done unless you can get adequate information from remote syslog.


Your network is more secure if you keep records of what was done to certain equipment, and AAA accounting is a very powerful tool to use for this.

Another good idea is to use configuration management tools to periodically backup configs and check for changes.



If you want to log individual AAA commands on Cisco equipment, I would simply log everything, you will generally need to use TACACS, not RADIUS.

OTOH if you have automated processes or have users frequently logging into network equipment,  you  may wish to only log, or to only keep logs related to
privileged commands,  or commands  that effect a change of configuration.



0
 

Author Comment

by:dissolved
ID: 24344254
ok cool. Could you give me a hand on this? We have RAS users authenticate to an external radius server.
I also have another firewall (just for network admins) that authenticate to the local database. I'm guessing this is what I should be watching. What commands they issue etc.

Is it possible to capture this in the buffer or can I log it to ACS
0
 
LVL 23

Expert Comment

by:Mysidia
ID: 24345010
Cisco's case studies provide decent info on the RAS config,   With firewall equipment (like the ASA) it's often good enough to setup a remote syslog server using "logging host" &c,  and just check if the logging is detailed enough for your needs.

But since you're using ACS,  logging every command should indeed be an option on the Firewall.

Cisco Security Configuration Guide here: http://www.cisco.com/en/US/docs/ios/11_2/security/command/reference/2racount.html

And some decent examples and details are here:
http://www.cisco.com/en/US/docs/ios/internetwrk_solutions_guides/splob/guides/dial/aaasub/C262C5.html
http://www.cisco.com/en/US/docs/ios/11_2/security/command/reference/2racount.html
http://wiki.freeradius.org/Cisco

The relevant commands are:
aaa accounting network default start-stop group radius

For your remote access servers.
You might only want to log the STOP or 'finished' for  exec sessions.

But it sounds as if you already have RADIUS setup there, in that case, you shouldn't need to change anything to enable accounting, other than port number, if you're using  1646  instead of the new standard one.


aaa accounting exec default stop-only group radius


RADIUS port numbers are specified when configuring the RADIUS server i.e.

radius-server host  172.16.88.5 auth-port 1812 acct-port 1813

The reason you might ever need to set port is that UDP port:

1812 = the current standard UDP port for RADIUS auth
1813 = the current standard UDP port for RADIUS accounting

1645 = the legacy port some OLD equipment still uses for RADIUS auth
1646 = OLD port used to be for RADIUS accounting



0
 
LVL 23

Accepted Solution

by:
Mysidia earned 500 total points
ID: 24345036
aaa accounting network default start-stop group radius
                       ^^^^^
This means  turn on  AAA accounting for 'network' services  according
to the default method list  using the radius group servers.

start-stop means  a START accounting record will be sent when the network session, port, or connection 'opens', and a STOP accounting record is sent when the connection ends.    


aaa accounting exec default stop-only group radius
                      ^^^
'exec' refers to a user shell,  i.e. they ssh'd, telnet'd, or console'd into your network device and are at a CLI prompt.

Stop-only means only STOP accounting records are sent.


As far as EXEC session accounting goes;   individual  commands are not logged if you use RADIUS.

You could say Cisco crippled RADIUS accounting to encourage use of their TACACS+ protocol.

When you use AAA accounting over TACACS+, you can log every command executed with  'aaa accounting exec'  options.

0
 

Author Comment

by:dissolved
ID: 24394777
ok, if i am syslogging to kiwi syslog and the administrators authenticate to a radius, what is the exact command to enable aaa accounting

what about if they authenticate locally in the device? What is the command for that?
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

If you’re like me and you like peace and quiet, saving money, and pretty lights, then this article is for you. For financial reasons, I buy all the Cisco equipment for my home lab second-hand. The first thing to wear out is usually one of the coo…
This video discusses moving either the default database or any database to a new volume.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now