Configuring Shell Commands
Step 4: Configuring Accounting
You have successfully configured both your Cisco Security Appliance and your Cisco Secure
ACS for authentication and authorization. The final portion is to configure accounting.
Accounting is used to track specific traffic passing through the firewall. It also ensures that
users are performing functions in keeping with company policies. Log data is commonly
stored and can be used to investigate employees who are using their Internet connections for
activities not authorized by the employer. The general syntax for the command that
accomplishes accounting is as follows:
aaa accounting include | exclude acctg-service | if-name local-ip
local-mask foreign-ip foreign-mask server tag
The following items are defined within the aaa accounting command:
■ include—Creates a rule with a specified service.
■ exclude—Creates an exception to a previously defined rule.
■ acctg-service—The service that is included or excluded. It is the service that the user is
requesting access to via the network. You can configure acctg-service as any, ftp, http,
telnet, or protocol/port. When you configure protocol/port, the protocol is listed as a
number:
— ICMP—1
— TCP—6
— UDP—17
■ if-name—The interface name from which the users should be authenticated and
accounting should be performed.
■ local-ip—The host address or network segment with the highest security level. As with
the other address definitions on the Security Appliance, 0 is used to define “any.”
■ local-mask—The subnet mask that applies to the local-ip; 0 is used to define “any.”
■ foreign-ip—Defines the address space with the lowest security level. The use of 0 defines
“any.”
■ foreign-mask—The subnet mask that applies to the foreign-ip; 0 is used to define “any.”
■ server-tag—The name used for the AAA server group. The server-tag is also used in the
aaa-server, aaa authorization, and aaa accounting commands.
Example 18-10 shows how to configure AAA accounting on the PIX Firewall.