Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

enbaling AAA accounting

Posted on 2009-05-08
5
Medium Priority
?
797 Views
Last Modified: 2012-05-06
What is best practices for what to enable for AAA Accounting and how do I monitor it?


thanks
0
Comment
Question by:dissolved
  • 3
  • 2
5 Comments
 
LVL 23

Expert Comment

by:Mysidia
ID: 24344098
That depends on what services your equipment is providing.
If you are using your equipment to provide a dialup service or other setup where logins occur by non administrators, then  you DEFINITELY should have full accounting over those sessions.

You want to log (at bare minimum) authentication and authorization requests and answers;  if AAA is used only to provide administrative access, you don't strictly have to use AAA accounting for this, your authentication server can do that.

However, AAA logging can provide you additional information.

Generally it is also good to enable some type of logging of commands executed if possible,  and sometimes this will be required for auditing and compliance purposes, or as a matter of network security policy.

And should be done unless you can get adequate information from remote syslog.


Your network is more secure if you keep records of what was done to certain equipment, and AAA accounting is a very powerful tool to use for this.

Another good idea is to use configuration management tools to periodically backup configs and check for changes.



If you want to log individual AAA commands on Cisco equipment, I would simply log everything, you will generally need to use TACACS, not RADIUS.

OTOH if you have automated processes or have users frequently logging into network equipment,  you  may wish to only log, or to only keep logs related to
privileged commands,  or commands  that effect a change of configuration.



0
 

Author Comment

by:dissolved
ID: 24344254
ok cool. Could you give me a hand on this? We have RAS users authenticate to an external radius server.
I also have another firewall (just for network admins) that authenticate to the local database. I'm guessing this is what I should be watching. What commands they issue etc.

Is it possible to capture this in the buffer or can I log it to ACS
0
 
LVL 23

Expert Comment

by:Mysidia
ID: 24345010
Cisco's case studies provide decent info on the RAS config,   With firewall equipment (like the ASA) it's often good enough to setup a remote syslog server using "logging host" &c,  and just check if the logging is detailed enough for your needs.

But since you're using ACS,  logging every command should indeed be an option on the Firewall.

Cisco Security Configuration Guide here: http://www.cisco.com/en/US/docs/ios/11_2/security/command/reference/2racount.html

And some decent examples and details are here:
http://www.cisco.com/en/US/docs/ios/internetwrk_solutions_guides/splob/guides/dial/aaasub/C262C5.html
http://www.cisco.com/en/US/docs/ios/11_2/security/command/reference/2racount.html
http://wiki.freeradius.org/Cisco

The relevant commands are:
aaa accounting network default start-stop group radius

For your remote access servers.
You might only want to log the STOP or 'finished' for  exec sessions.

But it sounds as if you already have RADIUS setup there, in that case, you shouldn't need to change anything to enable accounting, other than port number, if you're using  1646  instead of the new standard one.


aaa accounting exec default stop-only group radius


RADIUS port numbers are specified when configuring the RADIUS server i.e.

radius-server host  172.16.88.5 auth-port 1812 acct-port 1813

The reason you might ever need to set port is that UDP port:

1812 = the current standard UDP port for RADIUS auth
1813 = the current standard UDP port for RADIUS accounting

1645 = the legacy port some OLD equipment still uses for RADIUS auth
1646 = OLD port used to be for RADIUS accounting



0
 
LVL 23

Accepted Solution

by:
Mysidia earned 2000 total points
ID: 24345036
aaa accounting network default start-stop group radius
                       ^^^^^
This means  turn on  AAA accounting for 'network' services  according
to the default method list  using the radius group servers.

start-stop means  a START accounting record will be sent when the network session, port, or connection 'opens', and a STOP accounting record is sent when the connection ends.    


aaa accounting exec default stop-only group radius
                      ^^^
'exec' refers to a user shell,  i.e. they ssh'd, telnet'd, or console'd into your network device and are at a CLI prompt.

Stop-only means only STOP accounting records are sent.


As far as EXEC session accounting goes;   individual  commands are not logged if you use RADIUS.

You could say Cisco crippled RADIUS accounting to encourage use of their TACACS+ protocol.

When you use AAA accounting over TACACS+, you can log every command executed with  'aaa accounting exec'  options.

0
 

Author Comment

by:dissolved
ID: 24394777
ok, if i am syslogging to kiwi syslog and the administrators authenticate to a radius, what is the exact command to enable aaa accounting

what about if they authenticate locally in the device? What is the command for that?
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will step through configuring a SonicWALL appliance to utilize an internal DHCP server for Global VPN Client (GVC) hosts.  There are times when using an external (external to the SonicWALL) DHCP server, such as Windows Servers, isn’t pr…
Hi there, This article summarizes what you need if you are going to set up your home or small business Network Attached Storage (NAS) to be accessible from the internet. Of course there are configuration differences based on your NAS or router ma…
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Suggested Courses

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question