Solved

enbaling AAA accounting

Posted on 2009-05-08
5
787 Views
Last Modified: 2012-05-06
What is best practices for what to enable for AAA Accounting and how do I monitor it?


thanks
0
Comment
Question by:dissolved
  • 3
  • 2
5 Comments
 
LVL 23

Expert Comment

by:Mysidia
ID: 24344098
That depends on what services your equipment is providing.
If you are using your equipment to provide a dialup service or other setup where logins occur by non administrators, then  you DEFINITELY should have full accounting over those sessions.

You want to log (at bare minimum) authentication and authorization requests and answers;  if AAA is used only to provide administrative access, you don't strictly have to use AAA accounting for this, your authentication server can do that.

However, AAA logging can provide you additional information.

Generally it is also good to enable some type of logging of commands executed if possible,  and sometimes this will be required for auditing and compliance purposes, or as a matter of network security policy.

And should be done unless you can get adequate information from remote syslog.


Your network is more secure if you keep records of what was done to certain equipment, and AAA accounting is a very powerful tool to use for this.

Another good idea is to use configuration management tools to periodically backup configs and check for changes.



If you want to log individual AAA commands on Cisco equipment, I would simply log everything, you will generally need to use TACACS, not RADIUS.

OTOH if you have automated processes or have users frequently logging into network equipment,  you  may wish to only log, or to only keep logs related to
privileged commands,  or commands  that effect a change of configuration.



0
 

Author Comment

by:dissolved
ID: 24344254
ok cool. Could you give me a hand on this? We have RAS users authenticate to an external radius server.
I also have another firewall (just for network admins) that authenticate to the local database. I'm guessing this is what I should be watching. What commands they issue etc.

Is it possible to capture this in the buffer or can I log it to ACS
0
 
LVL 23

Expert Comment

by:Mysidia
ID: 24345010
Cisco's case studies provide decent info on the RAS config,   With firewall equipment (like the ASA) it's often good enough to setup a remote syslog server using "logging host" &c,  and just check if the logging is detailed enough for your needs.

But since you're using ACS,  logging every command should indeed be an option on the Firewall.

Cisco Security Configuration Guide here: http://www.cisco.com/en/US/docs/ios/11_2/security/command/reference/2racount.html

And some decent examples and details are here:
http://www.cisco.com/en/US/docs/ios/internetwrk_solutions_guides/splob/guides/dial/aaasub/C262C5.html
http://www.cisco.com/en/US/docs/ios/11_2/security/command/reference/2racount.html
http://wiki.freeradius.org/Cisco

The relevant commands are:
aaa accounting network default start-stop group radius

For your remote access servers.
You might only want to log the STOP or 'finished' for  exec sessions.

But it sounds as if you already have RADIUS setup there, in that case, you shouldn't need to change anything to enable accounting, other than port number, if you're using  1646  instead of the new standard one.


aaa accounting exec default stop-only group radius


RADIUS port numbers are specified when configuring the RADIUS server i.e.

radius-server host  172.16.88.5 auth-port 1812 acct-port 1813

The reason you might ever need to set port is that UDP port:

1812 = the current standard UDP port for RADIUS auth
1813 = the current standard UDP port for RADIUS accounting

1645 = the legacy port some OLD equipment still uses for RADIUS auth
1646 = OLD port used to be for RADIUS accounting



0
 
LVL 23

Accepted Solution

by:
Mysidia earned 500 total points
ID: 24345036
aaa accounting network default start-stop group radius
                       ^^^^^
This means  turn on  AAA accounting for 'network' services  according
to the default method list  using the radius group servers.

start-stop means  a START accounting record will be sent when the network session, port, or connection 'opens', and a STOP accounting record is sent when the connection ends.    


aaa accounting exec default stop-only group radius
                      ^^^
'exec' refers to a user shell,  i.e. they ssh'd, telnet'd, or console'd into your network device and are at a CLI prompt.

Stop-only means only STOP accounting records are sent.


As far as EXEC session accounting goes;   individual  commands are not logged if you use RADIUS.

You could say Cisco crippled RADIUS accounting to encourage use of their TACACS+ protocol.

When you use AAA accounting over TACACS+, you can log every command executed with  'aaa accounting exec'  options.

0
 

Author Comment

by:dissolved
ID: 24394777
ok, if i am syslogging to kiwi syslog and the administrators authenticate to a radius, what is the exact command to enable aaa accounting

what about if they authenticate locally in the device? What is the command for that?
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

When posting a question about a Cisco ASA, Cisco Router or Cisco Switch, it can aid diagnosis if a suitably sanitised copy of the config is provided. It is much better to leave as much of the configuration as original as possible, as it could be tha…
Hello All, I have been training on Multicast for a while now and whenever I start the topic , I find out that my friends /  Colleagues mention that they do not know how to test Multicast Joins. As most of the multicast would be video traffic and …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question