CiscoSecure ACS Accounting

Table Of Contents

CiscoSecure ACS Accounting

Enabling Accounting on the NAS

Enabling TACACS+ Accounting on the NAS

Enabling RADIUS Accounting on the NAS

Configuring Accounting on the CiscoSecure ACS

Directing Storage of RADIUS Accounting Data

Enabling Group Membership Accounting Data

Configuring Accounting Performance on the ACS

Extracting Key Accounting Data

Interpreting TACACS+ Accounting Data

Accounting Database for TACACS+

RADIUS Accounting

Accounting Database Log for RADIUS

Typical Attribute-Value Pairs for RADIUS

Managing Disk Space to Prevent Failed Accounting Record Updates

CiscoSecure ACS Accounting

Accounting is the third major function, after authentication and authorization, in a security system. Accounting can be used by network administrators to bill departments or customers for connection time. Accounting also enables administrators to track suspicious connection attempts into the network.

The TACACS+ and RADIUS protocols provide accounting information that includes start and stop times, login duration, and network resources used. The CiscoSecure ACS stores this accounting information either in the CiscoSecure RDBMS or in a separate file.

This chapter contains information about the CiscoSecure Access Control Server (ACS) software accounting database file and how to enable accounting using the software.

The following sections are included:

• Enabling Accounting on the NAS

• Configuring Accounting on the CiscoSecure ACS

• Extracting Key Accounting Data

• Interpreting TACACS+ Accounting Data

• RADIUS Accounting

• Managing Disk Space to Prevent Failed Accounting Record Updates

Note Accounting is supported only in Cisco IOS Release 11.0 and later.

For more information on how the accounting database is set up, refer to the chapter "CiscoSecure ACS Database Structure" in the CiscoSecure ACS 2.3 for UNIX Reference Guide.

Enabling Accounting on the NAS

The CiscoSecure accounting feature is enabled primarily through configuration commands to its network access servers (NAS) to send accounting records to the CiscoSecure ACS.

Enabling TACACS+ Accounting on the NAS

Several types of TACACS+ accounting records are available. Use the following command syntax to configure TACACS+ accounting on the NAS:

aaa accounting {system | network | connection | exec | command level} {start-stop | wait-start | stop-only} tacacs+

The first set of keywords allows you to specify accounting of the events listed in Table 9-1.

Note The Radius accounting header is provided in TACACS format to be compatible in a RADIUS/TACACS environment. It includes only the first several fields, the same as a TACACS accounting record contains.

Table 9-1 Accounting Events on the NAS

Event Type

Meaning

system

Enables accounting for all system-level events not associated with users, such as reloads

network

Enables accounting for all network-related requests, including SLIP, PPP, PPP network control protocols, and ARAP

connection

Enables accounting for outbound Telnet and rlogin

exec

Enables accounting for EXEC processes (user shells)

command level

Enables accounting for all commands at the specified privilege level

You can specify when accounting records are to be sent by using the second set of keywords, which are listed in Table 9-2.

Table 9-2 Accounting Record Keywords on the NAS

Keyword

Meaning

stop-only

The NAS sends a stop record accounting notice at the end of the specified activity or event (command, EXEC shell, and so on).

start-stop

The NAS sends a start record accounting notice at the beginning of a process and a stop record at the end of the process. The start accounting record is sent in the background. The requested user process begins regardless of whether or not the start accounting record was acknowledged by the accounting server.

wait-start

This keyword causes both a start and stop accounting record to be sent to the accounting server. However, the requested user service does not begin until the start accounting record is acknowledged. A stop accounting record is also sent.

Use the following commands to record accounting information on NAS system events, network connections, outbound connections, EXEC operations, and commands at level 1 and level 15:

aaa accounting system start-stop tacacs+
aaa accounting network start-stop tacacs+
aaa accounting connection start-stop tacacs+
aaa accounting exec stop-only tacacs+
aaa accounting command 1 stop-only tacacs+
aaa accounting command 15 wait-start tacacs+

Note Stop records contain elapsed time for connections and EXEC sessions.

Note The aaa accounting command 0 start-stop command is not implemented in Cisco IOS Release 11.0. Check the release notes for your Cisco IOS release to determine whether it has been implemented.

Enabling RADIUS Accounting on the NAS

Several types of RADIUS accounting records are available. Use the following command syntax to configure accounting on the NAS:

aaa accounting {system | network | connection | exec | command level} {start-stop | wait-start | stop-only} radius

The first set of keywords allows you to specify accounting of the events listed in Table 9-3.

Table 9-3 Accounting Events on the NAS

Event Type

Meaning

system

Enables accounting for all system-level events not associated with users, such as reloads

network

Enables accounting for all network-related requests, including SLIP, PPP, PPP network control protocols, and ARAP

connection

Enables accounting for outbound Telnet and rlogin

exec

Enables accounting for EXEC processes (user shells)

command level

Enables accounting for all commands at the specified privilege level

You can specify when accounting records are to be sent by using the second set of keywords, which are listed in Table 9-4.

Table 9-4 Accounting Record Keywords on the NAS

Keyword

Meaning

stop-only

The NAS sends a stop record accounting notice at the end of the specified activity or event (command, EXEC shell, and so on).

start-stop

The NAS sends a start record accounting notice at the beginning of a process and a stop record at the end of the process. The start accounting record is sent in the background. The requested user process begins regardless of whether or not the start accounting record was acknowledged by the accounting server.

wait-start

This keyword causes both a start and stop accounting record to be sent to the accounting server. However, the requested user service does not begin until the start accounting record is acknowledged. A stop accounting record is also sent.

Use the following commands to record accounting information on NAS system events, network connections, outbound connections, EXEC operations, and commands at level 1 and level 15:

aaa accounting system start-stop radius
aaa accounting network start-stop radius
aaa accounting connection start-stop radius
aaa accounting exec stop-only radius
aaa accounting command 1 stop-only radius
aaa accounting command 15 wait-start radius

Note Stop records contain elapsed time for connections and EXEC sessions.

Note The aaa accounting command 0 start-stop command is not implemented in Cisco IOS Release 11.0. Check the release notes for your Cisco IOS release to determine whether it has been implemented.

Caution When you specify any kind of accounting, the database will log every transaction. Depending on the number of transactions and the size of your database, the log file can expand and very quickly fill up your disk. For details, see the "Configuring Accounting on the CiscoSecure ACS" section and the "Enabling Group Membership Accounting Data" section.

Configuring Accounting on the CiscoSecure ACS

The Java-based CiscoSecure Administrator advanced configuration program enables limited configuration of CiscoSecure accounting.

Directing Storage of RADIUS Accounting Data

If you are supporting CiscoSecure RADIUS accounting, you should use the Java-based CiscoSecure Administrator advanced configuration program to direct where you want the CiscoSecure ACS to store its RADIUS accounting data.

Step 1 Start the Java-based CiscoSecure Administrator advanced configuration program and click the Servers tab.

Step 2 In the left window of the Servers page, click the IP address of the CiscoSecure ACS whose RADIUS accounting data you want to direct.

Step 3 In the Accounting field, select a RADIUS accounting data storage method. Your choices are:

•Database—Place accounting information in a database in a modified format.

•Database and File—Place accounting information in both a database and a flat file.

•Database then File—Place accounting information in the database. If for any reason the CiscoSecure ACS is no longer able to place it in the database, the accounting information will be placed in a flat file.

•File—Place accounting information in a flat file (text in RADIUS format).

•None—Ignore accounting packets on this server.

Note In CiscoSecure ACS 2.3 for UNIX a new parameter in the [AccountingMgr] section of the $BASEDIR/config/CSConfig.ini file can override the above settings. If you set LogRawAccountingPacketToDB = disable, writing of accounting records to any database will be disabled. Writing of accounting records to a flat file will be unaffected.

Enabling Group Membership Accounting Data

The CiscoSecure ACS software can add a field to each accounting record that will indicate the immediate group membership of the corresponding user. In this way, accounting organizations can easily know whether to adjust billing information according to the user's group association.

The ability to display group membership for billing and accounting is achieved by enabling the accounting feature on the NAS and by enabling the accounting member attribute in the Java-based CiscoSecure Administrator advanced configuration program.

Note You cannot enable group membership accounting if you selected the none or file RADIUS accounting storage option for the Accounting field in the Servers page of the Java-based CiscoSecure Administrator advanced configuration program.

Step 1 Start the CiscoSecure Administrator advanced configuration program, click the Members tab and deselect Browse.

Step 2 In the Browser pane, do one of the following:

•Select the profile of an individual user whose group membership you want displayed in that user's accounting records.

•Select the profile of a group whose membership you want displayed in the accounting records of each of its users.

Note If you apply the group membership accounting attribute to a group profile, the accounting attribute is automatically inherited by and applied to all members of that group.

Step 3 Select the Profile icon to display the Options menu.

Step 4 In the Options menu, select Accounting Function.

Step 5 Click Apply then click Submit.

Step 6 Verify that the variable_acct_fn_enable variable in the $BASEDIR/config/CSU.cfg file is set to its default setting:

config_acct_fn_enable = 1

Note If you need to quickly disable group membership accounting on a global basis, you can simply reset the config_acct_fn_enable variable to 0, saving yourself the effort of removing the "Accounting function" attribute from each user profile.

Configuring Accounting Performance on the ACS

CiscoSecure ACS 2.3 for UNIX supports new parameters in the [AccountingMgr] section of the $BASEDIR/config/CSConfig.ini file that permit you to configure memory buffering for ACS accounting. The parameters and default settings are listed in Table 9-5.

Table 9-5 Accounting Management Parameters in the CSConfig.ini File

Parameter

Default

Description and Example

LogRawAccountingPacketToDB

enable

Enables writing of log account packets in the RDBMS cs_accounting_log database table.

BufferAccountingPackets

enable

Enables buffering of account packets in memory before storing in the RDBMS. If this setting is enabled, the DBServer module creates enough buffers to match the number of database connections available minus 2 up to a maximum of 8 buffers.

NOTE: In case of sudden termination of the DBServer module (that is, situations where the DBServer is terminated before it can issue a "DBServer has shut down" message), records in this buffer will be lost.

AccountingBufferSize

500

Specifies, in bytes, the size of each packet buffer. Permissable values range from 5 to 10000.

ProcessInMemoryMaxSessionInfo

enable

Enables processing of user max sessions information to save in memory.

ArchiveMaxSessionInfoToDB

enable

Enables writing of user max sessions information to the RDBMS cs__user_accounting database table.

NOTE: If the BufferAccountingPackets and ProcessInMemoryMaxSessionInfo parameters are enabled, then max sessions information records will be buffered as well.

AcctPurgeInterval

60

Specifies, in minutes, the minimum interval between the times that the system checks for accounting sessions to purge. Because this purge check interval is dependent upon internal variably-timed DBServer processes, the value set here is not accurate to the minute.

For example, the setting:

AcctPurgeInterval = 75

does not necessarily guarantee that a purge check will be performed every 75 minutes. It does guarantee that a purge check will be performed no more frequently than once every 75 minutes. The actual interval between purge checks could be anything from 75 minutes to 135 minutes.

The minimum value for this parameter is 60 minutes.

AcctPurgeTimeOut

1440

Specifies the maximum number of minutes that a CiscoSecure session can remain open before the system assumes it is timed out and purges it.

This value is dependent on the AcctPurgeInterval setting and is not accurate to the minute. It is not intended to be set to less than 60.

Increasing Accounting Reliability

The buffering of accounting records in memory carries an inherent risk of record loss in the unlikely event that the DBServer terminates ungracefully or is unable to write to the RDBMS for some other reason. To minimize this risk, you can set the BufferAccountingPackets and ProcessInMemoryMaxSessionInfo parameters to disable to stop accounting record buffering; however, doing so will adversely and substantially affect accounting performance.

Extracting Key Accounting Data

The CiscoSecure ACS AcctExport tool exports raw accounting data from the RDBMS table into an external file.

Caution This option can significantly increase time required for the export operation. It could, for example, increase the time required to export an SQLAnywhere database with 3,000 users from minutes to hours.

To run the AcctExport tool:

Step 1 Change directories as follows:

cd $BASEDIR/utils/bin

$BASEDIR refers to your CiscoSecure ACS install directory.

Step 2 Run AcctExport as follows:

./AcctExport filename [no_truncate][clean] [no_active]
This command outputs all of your accounting data into the specified filename. If the file already exists, then its contents will be overwritten.

The filename is required and refers to the path name of the target file. When there is no option other than filename, AcctExport will export all accounting records (except the start records for the active sessions) to the file, then remove the records from the accounting tables. CiscoSecure is not required to be offline for this operation.

The no_truncate option directs the tool to behave in the same manner as the default option except that no records from the tables will be removed.

If the clean option is specified, the tool exports all the accounting records present in the tables (regardless of active or non-active sessions) to the external file and deletes them from the tables. The tool will also reset the sequence numbers used for accounting records by the CiscoSecure DBServer. The sequence numbers are used to identify each accounting record and user sessions. These numbers are in the range from 1 to 2,147,483,647. The current sequence numbers can be obtained from the cs_id table. When using this option, make sure either that CiscoSecure is off-line or that accounting is turned off. If the no_active option is specified, only completed sessions, those with matching start and stop packets, will be exported.

Interpreting TACACS+ Accounting Data

For the TACACS+ protocol, all accounting data is stored in the relational database management system (RDBMS). From the RDBMS tables, you can run a special tool to export the accounting data to an ASCII file.

Accounting Database for TACACS+

Use the AccountExport tool to extract the accounting data to a text file. An accounting record for TACACS+ is structured like the following example:

char nas_name[] /* NAS name */
char user_name[] /* username */
char port_name[] /* port the connection is on */
char remote_address[] /* where the user connected from */
char record_type[] /* (start, update, stop etc) */
char server[] /* hostname of the server, as an AV pair */
char time[] /* time of this record, as an AV pair */
char date[] /* date of this record, as an AV pair */
char attribute_value_pairs[] /* there are an arbitrary number of these */
TACACS+ Accounting System Output

Each accounting record is terminated by the newline character (\n); record lengths are not fixed. All numeric values in attribute_value_pair strings are sent and recorded as decimal ASCII numbers. The accounting record file consists of a sequence of such records, written to stable storage on a periodic, configurable basis.

The following sample output packets are TACACS+ start and stop accounting records for an ISDN session with both B-channels. The NAS was 10.1.0.1; the user was user9 and was assigned IP address 11. 11.11.108; the ACS was goodboy.

10.1.0.1 user9 BRI0/0:1 - start server=goodboy
time=08:46:02 date=09/04/1998
task_id=201 timezone=UTC service=ppp

10.1.0.1 user9 BRI0/0:2 - start server=goodboy
time=08:46:05 date=09/04/1998
task_id=202 timezone=UTC service=ppp

10.1.0.1 user9 BRI0/0:1 - stop server=goodboy
time=08:46:20 date=09/04/1998
task_id=201 timezone=UTC service=ppp mlp-links-max=2
mlp-sess-id=53 protocol=ip addr=11.
11.11.108 bytes_in=205 bytes_out=93 paks_in=15 paks_out=6
elapsed_time=18

10.1.0.1 user9 BRI0/0:2 - stop server=goodboy
time=08:46:20 date=09/04/1998
task_id=202 timezone=UTC service=ppp mlp-links-max=2 protocol=ip
addr=11.11.11.108
mlp-sess-id=53 bytes_in=16 bytes_out=149 paks_in=1 paks_out=8
elapsed_time=15

RADIUS Accounting

This section presents accounting information that applies if you are using the RADIUS protocol.

Accounting Database Log for RADIUS

The following example shows typical RADIUS accounting packets. The RADIUS server must be configured to record accounting packets to the RDBMS in order for the raw RADIUS accounting packet to follow this accounting structure. Using the web-based interface, you can configure the CiscoSecure ACS to record accounting packets to the RDBMS.

Note The CiscoSecure ACS puts the first two lines of each packet in TACACS+ format.

The RADIUS accounting example below is the output for start and stop packets for a full ISDN, 2-B-channel session:

10.1.0.18 user9 30201 6228212 start server=freeport
time=10:51:27 date=09/09/1998 task_id=0000005A
Wed Sep 9 11:51:26 1998
NAS-IP-Address = 10.1.0.18
NAS-Port = 30201
NAS-Port-Type = ISDN-Sync
User-Name = "user9"
Calling-Station-Id = "6228212"
Acct-Status-Type = Start
Acct-Authentic = RADIUS
User-Service-Type = Framed-User
Acct-Session-Id = "0000005A"
Framed-Protocol = PPP
Acct-Delay-Time = 0
10.1.0.18 user9 30202 6228213 start server=freeport
time=10:51:29 date=09/09/1998 task_id=0000005B
Wed Sep 9 11:51:29 1998
NAS-IP-Address = 10.1.0.18
NAS-Port = 30202
NAS-Port-Type = ISDN-Sync
User-Name = "user9"
Calling-Station-Id = "6228213"
Acct-Status-Type = Start
Acct-Authentic = RADIUS
User-Service-Type = Framed-User
Acct-Session-Id = "0000005B"
Framed-Protocol = PPP
Acct-Delay-Time = 0
10.1.0.18 user9 30202 6228213 stop server=freeport
time=10:56:27 date=09/09/1998 task_id=0000005B
Wed Sep 9 11:56:26 1998
NAS-IP-Address = 10.1.0.18
NAS-Port = 30202
NAS-Port-Type = ISDN-Sync
User-Name = "user9"
Calling-Station-Id = "6228213"
Acct-Status-Type = Stop
Acct-Authentic = RADIUS
User-Service-Type = Framed-User
Acct-Session-Id = "0000005B"
Framed-Protocol = PPP
Acct-Link-Count = 2
Framed-IP-Address = 10.1.0.35
Acct-Multi-Session-Id = "39"
Acct-Input-Octets = 580
Acct-Output-Octets = 751
Acct-Input-Packets = 39
Acct-Output-Packets = 48
Acct-Session-Time = 298
Acct-Delay-Time = 0

10.1.0.18 user9 30201 6228212 stop server=freeport
time=10:56:27 date=09/09/1998 task_id=0000005A
Wed Sep 9 11:56:26 1998
NAS-IP-Address = 10.1.0.18
NAS-Port = 30201
NAS-Port-Type = ISDN-Sync
User-Name = "user9"
Calling-Station-Id = "6228212"
Acct-Status-Type = Stop
Acct-Authentic = RADIUS
User-Service-Type = Framed-User
Acct-Session-Id = "0000005A"
Framed-Protocol = PPP
Acct-Link-Count = 2
Acct-Multi-Session-Id = "39"
Framed-IP-Address = 10.1.0.35
Acct-Input-Octets = 807
Acct-Output-Octets = 669
Acct-Input-Packets = 56
Acct-Output-Packets = 45
Acct-Session-Time = 300
Acct-Delay-Time = 0
Typical Attribute-Value Pairs for RADIUS

Most RADIUS attribute-value pairs have equivalents in TACACS+, but they differ slightly. For example, the TACACS+ attribute event_id is equivalent to the RADIUS attribute acctg-session-id. See "RADIUS Attribute-Value Pairs and Dictionary Management," for more information, including a table comparing RADIUS and TACACS+ attributes.

Managing Disk Space to Prevent Failed Accounting Record Updates

Failure to maintain sufficient available disk space on the SQLAnywhere, Oracle, or Sybase database server storing records for the CiscoSecure ACS can result in a general warning message and a failure to update CiscoSecure accounting records. To prevent such failures, the system administrator should:

•Ensure that sufficient disk space exists to record and update all login transactions.

A typical example of heavy accounting disk space requirements might be those of an ISP's ACS, running TACACS+ protocol, receiving about 200,000 login requests per day, and configured to send Start, Update, and Stop accounting records (approximately 200 bytes each) for each login.

To calculate the accounting-related database disk space requirements for the above example, you would multiply 200,000 (logins per day) x 3 (accounting records per login) x 200 (bytes per record). The result indicates that 120 MB of disk space per day on the SQLAnywhere, Oracle, or Sybase database server would be required to accommodate the daily accounting data in the above example.

•Periodically run the CiscoSecure AcctExport tool to export the accounting records from the SQLAnywhere, Oracle, or Sybase RDBMS to a flat file.

Event Type	Meaning
system	Enables accounting for all system-level events not associated with users, such as reloads
network	Enables accounting for all network-related requests, including SLIP, PPP, PPP network control protocols, and ARAP
connection	Enables accounting for outbound Telnet and rlogin
exec	Enables accounting for EXEC processes (user shells)
command level	Enables accounting for all commands at the specified privilege level

Keyword	Meaning
stop-only	The NAS sends a stop record accounting notice at the end of the specified activity or event (command, EXEC shell, and so on).
start-stop	The NAS sends a start record accounting notice at the beginning of a process and a stop record at the end of the process. The start accounting record is sent in the background. The requested user process begins regardless of whether or not the start accounting record was acknowledged by the accounting server.
wait-start	This keyword causes both a start and stop accounting record to be sent to the accounting server. However, the requested user service does not begin until the start accounting record is acknowledged. A stop accounting record is also sent.

Parameter	Default	Description and Example
LogRawAccountingPacketToDB	enable	Enables writing of log account packets in the RDBMS cs_accounting_log database table.
BufferAccountingPackets	enable	Enables buffering of account packets in memory before storing in the RDBMS. If this setting is enabled, the DBServer module creates enough buffers to match the number of database connections available minus 2 up to a maximum of 8 buffers. NOTE: In case of sudden termination of the DBServer module (that is, situations where the DBServer is terminated before it can issue a "DBServer has shut down" message), records in this buffer will be lost.
AccountingBufferSize	500	Specifies, in bytes, the size of each packet buffer. Permissable values range from 5 to 10000.
ProcessInMemoryMaxSessionInfo	enable	Enables processing of user max sessions information to save in memory.
ArchiveMaxSessionInfoToDB	enable	Enables writing of user max sessions information to the RDBMS cs__user_accounting database table. NOTE: If the BufferAccountingPackets and ProcessInMemoryMaxSessionInfo parameters are enabled, then max sessions information records will be buffered as well.
AcctPurgeInterval	60	Specifies, in minutes, the minimum interval between the times that the system checks for accounting sessions to purge. Because this purge check interval is dependent upon internal variably-timed DBServer processes, the value set here is not accurate to the minute. For example, the setting: `AcctPurgeInterval = 75` does not necessarily guarantee that a purge check will be performed every 75 minutes. It does guarantee that a purge check will be performed no more frequently than once every 75 minutes. The actual interval between purge checks could be anything from 75 minutes to 135 minutes. The minimum value for this parameter is 60 minutes.
AcctPurgeTimeOut	1440	Specifies the maximum number of minutes that a CiscoSecure session can remain open before the system assumes it is timed out and purges it. This value is dependent on the AcctPurgeInterval setting and is not accurate to the minute. It is not intended to be set to less than 60.