Link to home
Start Free TrialLog in
Avatar of dissolved
dissolved

asked on

enbaling AAA accounting

What is best practices for what to enable for AAA Accounting and how do I monitor it?


thanks
Avatar of Mysidia
Mysidia
Flag of United States of America image

That depends on what services your equipment is providing.
If you are using your equipment to provide a dialup service or other setup where logins occur by non administrators, then  you DEFINITELY should have full accounting over those sessions.

You want to log (at bare minimum) authentication and authorization requests and answers;  if AAA is used only to provide administrative access, you don't strictly have to use AAA accounting for this, your authentication server can do that.

However, AAA logging can provide you additional information.

Generally it is also good to enable some type of logging of commands executed if possible,  and sometimes this will be required for auditing and compliance purposes, or as a matter of network security policy.

And should be done unless you can get adequate information from remote syslog.


Your network is more secure if you keep records of what was done to certain equipment, and AAA accounting is a very powerful tool to use for this.

Another good idea is to use configuration management tools to periodically backup configs and check for changes.



If you want to log individual AAA commands on Cisco equipment, I would simply log everything, you will generally need to use TACACS, not RADIUS.

OTOH if you have automated processes or have users frequently logging into network equipment,  you  may wish to only log, or to only keep logs related to
privileged commands,  or commands  that effect a change of configuration.



Avatar of dissolved
dissolved

ASKER

ok cool. Could you give me a hand on this? We have RAS users authenticate to an external radius server.
I also have another firewall (just for network admins) that authenticate to the local database. I'm guessing this is what I should be watching. What commands they issue etc.

Is it possible to capture this in the buffer or can I log it to ACS
Cisco's case studies provide decent info on the RAS config,   With firewall equipment (like the ASA) it's often good enough to setup a remote syslog server using "logging host" &c,  and just check if the logging is detailed enough for your needs.

But since you're using ACS,  logging every command should indeed be an option on the Firewall.

Cisco Security Configuration Guide here: http://www.cisco.com/en/US/docs/ios/11_2/security/command/reference/2racount.html

And some decent examples and details are here:
http://www.cisco.com/en/US/docs/ios/internetwrk_solutions_guides/splob/guides/dial/aaasub/C262C5.html
http://www.cisco.com/en/US/docs/ios/11_2/security/command/reference/2racount.html
http://wiki.freeradius.org/Cisco

The relevant commands are:
aaa accounting network default start-stop group radius

For your remote access servers.
You might only want to log the STOP or 'finished' for  exec sessions.

But it sounds as if you already have RADIUS setup there, in that case, you shouldn't need to change anything to enable accounting, other than port number, if you're using  1646  instead of the new standard one.


aaa accounting exec default stop-only group radius


RADIUS port numbers are specified when configuring the RADIUS server i.e.

radius-server host  172.16.88.5 auth-port 1812 acct-port 1813

The reason you might ever need to set port is that UDP port:

1812 = the current standard UDP port for RADIUS auth
1813 = the current standard UDP port for RADIUS accounting

1645 = the legacy port some OLD equipment still uses for RADIUS auth
1646 = OLD port used to be for RADIUS accounting



ASKER CERTIFIED SOLUTION
Avatar of Mysidia
Mysidia
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ok, if i am syslogging to kiwi syslog and the administrators authenticate to a radius, what is the exact command to enable aaa accounting

what about if they authenticate locally in the device? What is the command for that?