The accounting function records who did what and for how long. Because of this, it relies
upon the authentication process to provide part of the audit trail. For this reason, it is recommended
that accounts be established with easily identified usernames—typically a lastname,
first-initial configuration. This information is coupled with six accounting types, as
described in Table 32.5.
The configuration of accounting is fairly simple, but there are a few choices that should be
considered. Table 32.6 provides a subset of the more common commands. Administrators
will need to balance the desire to obtain complete accounting records against the overhead
incurred. In Table 32.6, there is a function that is being accounted for that includes commands,
connections, system events, and so on. There is a method used to account for those
functions that includes start-stop, stop-only, and wait-start, and the server type to send this
information to.
AAA Accounting Commands
Command Description
aaa accounting command
level method server
Audits all commands at a specified level by using the specified
method. (The options are start-stop, stop-only, and wait-start.) Sends
this information to the server type (TACACS+ or RADIUS) specified.
aaa accounting
connection method
server
Audits all outbound connections (including Telnet and rlogin) to the
specified server type by using the specified method.
aaa accounting exec
method server
Audits the EXEC process with the specified method to the specified
server type.
aaa accounting network
method server
Audits network service requests (including SLIP, PPP, and ARAP
requests) to the specified server type by using the specified method.
aaa accounting system
method server
Audits system-level events by using the specified method to the
specified server type. This includes reload, for example. Because
a router reload is one of the ultimate denial-of-service attacks, it
would be useful to know what user identification was used to issue
the command.
aaa accounting
function start-stop
server
Documents the start and stop of a particular type of session specified
by the function parameter to the specified server type. Audit information
is sent in the background, negating any delay for the user.
aaa accounting
function stop-only
server
Sends a stop accounting notice at the end of a user process specified
by the function parameter to the specified server type.
aaa accounting
function wait-start
server
Similar to aaa accounting start-stop, this command documents
the start of a particular type of session specified by the function
parameter to the specified server type. However, the user is not permitted
to continue until the accounting server acknowledges the log
entry. This can delay user access.
aaa accounting
function method
{tacacs+ | radius}
Enables accounting information to be sent to the TACACS+ or
RADIUS accounting server for the specified function by using the
specified method.
One area in which accounting transcends security is charge-back. If accurate start
and stop times are recorded, a company could charge users for their time on the
system to offset the cost. Internet service providers (ISPs) have long considered
this as an alternative to the flat-rate model currently found in the United States.