|
Table Of Contents
Enabling Accounting on the NAS
Enabling TACACS+ Accounting on the NAS
Enabling RADIUS Accounting on the NAS
Configuring Accounting on the CiscoSecure ACS
Directing Storage of RADIUS Accounting Data
Enabling Group Membership Accounting Data
Configuring Accounting Performance on the ACS
Extracting Key Accounting Data
Interpreting TACACS+ Accounting Data
Accounting Database for TACACS+
Accounting Database Log for RADIUS
Typical Attribute-Value Pairs for RADIUS
Managing Disk Space to Prevent Failed Accounting Record Updates
CiscoSecure ACS Accounting
Accounting is the third major function, after authentication and authorization, in a security system. Accounting can be used by network administrators to bill departments or customers for connection time. Accounting also enables administrators to track suspicious connection attempts into the network.
The TACACS+ and RADIUS protocols provide accounting information that includes start and stop times, login duration, and network resources used. The CiscoSecure ACS stores this accounting information either in the CiscoSecure RDBMS or in a separate file.
This chapter contains information about the CiscoSecure Access Control Server (ACS) software accounting database file and how to enable accounting using the software.
The following sections are included:
• Enabling Accounting on the NAS
• Configuring Accounting on the CiscoSecure ACS
• Extracting Key Accounting Data
• Interpreting TACACS+ Accounting Data
• Managing Disk Space to Prevent Failed Accounting Record Updates
Note Accounting is supported only in Cisco IOS Release 11.0 and later.
For more information on how the accounting database is set up, refer to the chapter "CiscoSecure ACS Database Structure" in the CiscoSecure ACS 2.3 for UNIX Reference Guide.
Enabling Accounting on the NAS
The CiscoSecure accounting feature is enabled primarily through configuration commands to its network access servers (NAS) to send accounting records to the CiscoSecure ACS.
Enabling TACACS+ Accounting on the NAS
Several types of TACACS+ accounting records are available. Use the following command syntax to configure TACACS+ accounting on the NAS:aaa accounting {system | network | connection | exec | command level} {start-stop | wait-start | stop-only} tacacs+
The first set of keywords allows you to specify accounting of the events listed in Table 9-1.
Note The Radius accounting header is provided in TACACS format to be compatible in a RADIUS/TACACS environment. It includes only the first several fields, the same as a TACACS accounting record contains.
You can specify when accounting records are to be sent by using the second set of keywords, which are listed in Table 9-2.
Use the following commands to record accounting information on NAS system events, network connections, outbound connections, EXEC operations, and commands at level 1 and level 15:
aaa accounting system start-stop tacacs+
aaa accounting network start-stop tacacs+
aaa accounting connection start-stop tacacs+
aaa accounting exec stop-only tacacs+
aaa accounting command 1 stop-only tacacs+
aaa accounting command 15 wait-start tacacs+
Note Stop records contain elapsed time for connections and EXEC sessions.
Note The aaa accounting command 0 start-stop command is not implemented in Cisco IOS Release 11.0. Check the release notes for your Cisco IOS release to determine whether it has been implemented.
Enabling RADIUS Accounting on the NAS
Several types of RADIUS accounting records are available. Use the following command syntax to configure accounting on the NAS:
aaa accounting {
s
ystem | network | connection | exec | command level}{
start-stop | wait-start | stop-only} radius
The first set of keywords allows you to specify accounting of the events listed in Table 9-3.
You can specify when accounting records are to be sent by using the second set of keywords, which are listed in Table 9-4.
Use the following commands to record accounting information on NAS system events, network connections, outbound connections, EXEC operations, and commands at level 1 and level 15:
aaa accounting system start-stop radius
aaa accounting network start-stop radius
aaa accounting connection start-stop radius
aaa accounting exec stop-only radius
aaa accounting command 1 stop-only radius
aaa accounting command 15 wait-start radius
Note Stop records contain elapsed time for connections and EXEC sessions.
Note The aaa accounting command 0 start-stop command is not implemented in Cisco IOS Release 11.0. Check the release notes for your Cisco IOS release to determine whether it has been implemented.
Caution When you specify any kind of accounting, the database will log every transaction. Depending on the number of transactions and the size of your database, the log file can expand and very quickly fill up your disk. For details, see the "Configuring Accounting on the CiscoSecure ACS" section and the "Enabling Group Membership Accounting Data" section.
Configuring Accounting on the CiscoSecure ACS
The Java-based CiscoSecure Administrator advanced configuration program enables limited configuration of CiscoSecure accounting.
Directing Storage of RADIUS Accounting Data
If you are supporting CiscoSecure RADIUS accounting, you should use the Java-based CiscoSecure Administrator advanced configuration program to direct where you want the CiscoSecure ACS to store its RADIUS accounting data.
Step 1 Start the Java-based CiscoSecure Administrator advanced configuration program and click the Servers tab.
Step 2 In the left window of the Servers page, click the IP address of the CiscoSecure ACS whose RADIUS accounting data you want to direct.
Step 3 In the Accounting field, select a RADIUS accounting data storage method. Your choices are:
•Database—Place accounting information in a database in a modified format.
•Database and File—Place accounting information in both a database and a flat file.
•Database then File—Place accounting information in the database. If for any reason the CiscoSecure ACS is no longer able to place it in the database, the accounting information will be placed in a flat file.
•File—Place accounting information in a flat file (text in RADIUS format).
•None—Ignore accounting packets on this server.
Note In CiscoSecure ACS 2.3 for UNIX a new parameter in the [AccountingMgr] section of the $BASEDIR/config/CSConfig.ini file can override the above settings. If you set LogRawAccountingPacketToDB = disable, writing of accounting records to any database will be disabled. Writing of accounting records to a flat file will be unaffected.
Enabling Group Membership Accounting Data
The CiscoSecure ACS software can add a field to each accounting record that will indicate the immediate group membership of the corresponding user. In this way, accounting organizations can easily know whether to adjust billing information according to the user's group association.
The ability to display group membership for billing and accounting is achieved by enabling the accounting feature on the NAS and by enabling the accounting member attribute in the Java-based CiscoSecure Administrator advanced configuration program.
Note You cannot enable group membership accounting if you selected the none or file RADIUS accounting storage option for the Accounting field in the Servers page of the Java-based CiscoSecure Administrator advanced configuration program.
Step 1 Start the CiscoSecure Administrator advanced configuration program, click the Members tab and deselect Browse.
Step 2 In the Browser pane, do one of the following:
•Select the profile of an individual user whose group membership you want displayed in that user's accounting records.
•Select the profile of a group whose membership you want displayed in the accounting records of each of its users.
Note If you apply the group membership accounting attribute to a group profile, the accounting attribute is automatically inherited by and applied to all members of that group.
Step 3 Select the Profile icon to display the Options menu.
Step 4 In the Options menu, select Accounting Function.
Step 5 Click Apply then click Submit.
Step 6 Verify that the variable_acct_fn_enable variable in the $BASEDIR/config/CSU.cfg file is set to its default setting:
config_acct_fn_enable = 1
Note If you need to quickly disable group membership accounting on a global basis, you can simply reset the config_acct_fn_enable variable to 0, saving yourself the effort of removing the "Accounting function" attribute from each user profile.
Configuring Accounting Performance on the ACS
CiscoSecure ACS 2.3 for UNIX supports new parameters in the [AccountingMgr] section of the $BASEDIR/config/CSConfig.ini file that permit you to configure memory buffering for ACS accounting. The parameters and default settings are listed in Table 9-5.
Increasing Accounting Reliability
The buffering of accounting records in memory carries an inherent risk of record loss in the unlikely event that the DBServer terminates ungracefully or is unable to write to the RDBMS for some other reason. To minimize this risk, you can set the BufferAccountingPackets and ProcessInMemoryMaxSessionInfo parameters to disable to stop accounting record buffering; however, doing so will adversely and substantially affect accounting performance.
Extracting Key Accounting Data
The CiscoSecure ACS AcctExport tool exports raw accounting data from the RDBMS table into an external file.
Caution This option can significantly increase time required for the export operation. It could, for example, increase the time required to export an SQLAnywhere database with 3,000 users from minutes to hours.
To run the AcctExport tool:
Step 1 Change directories as follows:
cd $BASEDIR/utils/bin
$BASEDIR refers to your CiscoSecure ACS install directory.
Step 2 Run AcctExport as follows:
./AcctExport filename [no_truncate][clean] [no_active]
This command outputs all of your accounting data into the specified filename. If the file already exists, then its contents will be overwritten.
The filename is required and refers to the path name of the target file. When there is no option other than filename, AcctExport will export all accounting records (except the start records for the active sessions) to the file, then remove the records from the accounting tables. CiscoSecure is not required to be offline for this operation.
The no_truncate option directs the tool to behave in the same manner as the default option except that no records from the tables will be removed.
If the clean option is specified, the tool exports all the accounting records present in the tables (regardless of active or non-active sessions) to the external file and deletes them from the tables. The tool will also reset the sequence numbers used for accounting records by the CiscoSecure DBServer. The sequence numbers are used to identify each accounting record and user sessions. These numbers are in the range from 1 to 2,147,483,647. The current sequence numbers can be obtained from the cs_id table. When using this option, make sure either that CiscoSecure is off-line or that accounting is turned off. If the no_active option is specified, only completed sessions, those with matching start and stop packets, will be exported.
Interpreting TACACS+ Accounting Data
For the TACACS+ protocol, all accounting data is stored in the relational database management system (RDBMS). From the RDBMS tables, you can run a special tool to export the accounting data to an ASCII file.
Accounting Database for TACACS+
Use the AccountExport tool to extract the accounting data to a text file. An accounting record for TACACS+ is structured like the following example:
char nas_name[] /* NAS name */
char user_name[] /* username */
char port_name[] /* port the connection is on */
char remote_address[] /* where the user connected from */
char record_type[] /* (start, update, stop etc) */
char server[] /* hostname of the server, as an AV pair */
char time[] /* time of this record, as an AV pair */
char date[] /* date of this record, as an AV pair */
char attribute_value_pairs[] /* there are an arbitrary number of these */
TACACS+ Accounting System Output
Each accounting record is terminated by the newline character (\n); record lengths are not fixed. All numeric values in attribute_value_pair strings are sent and recorded as decimal ASCII numbers. The accounting record file consists of a sequence of such records, written to stable storage on a periodic, configurable basis.
The following sample output packets are TACACS+ start and stop accounting records for an ISDN session with both B-channels. The NAS was 10.1.0.1; the user was user9 and was assigned IP address 11. 11.11.108; the ACS was goodboy.
10.1.0.1 user9 BRI0/0:1 - start server=goodboy
time=08:46:02 date=09/04/1998
task_id=201 timezone=UTC service=ppp
10.1.0.1 user9 BRI0/0:2 - start server=goodboy
time=08:46:05 date=09/04/1998
task_id=202 timezone=UTC service=ppp
10.1.0.1 user9 BRI0/0:1 - stop server=goodboy
time=08:46:20 date=09/04/1998
task_id=201 timezone=UTC service=ppp mlp-links-max=2
mlp-sess-id=53 protocol=ip addr=11.
11.11.108 bytes_in=205 bytes_out=93 paks_in=15 paks_out=6
elapsed_time=18
10.1.0.1 user9 BRI0/0:2 - stop server=goodboy
time=08:46:20 date=09/04/1998
task_id=202 timezone=UTC service=ppp mlp-links-max=2 protocol=ip
addr=11.11.11.108
mlp-sess-id=53 bytes_in=16 bytes_out=149 paks_in=1 paks_out=8
elapsed_time=15
RADIUS Accounting
This section presents accounting information that applies if you are using the RADIUS protocol.
Accounting Database Log for RADIUS
The following example shows typical RADIUS accounting packets. The RADIUS server must be configured to record accounting packets to the RDBMS in order for the raw RADIUS accounting packet to follow this accounting structure. Using the web-based interface, you can configure the CiscoSecure ACS to record accounting packets to the RDBMS.
Note The CiscoSecure ACS puts the first two lines of each packet in TACACS+ format.
The RADIUS accounting example below is the output for start and stop packets for a full ISDN, 2-B-channel session:
10.1.0.18 user9 30201 6228212 start server=freeport
time=10:51:27 date=09/09/1998 task_id=0000005A
Wed Sep 9 11:51:26 1998
NAS-IP-Address = 10.1.0.18
NAS-Port = 30201
NAS-Port-Type = ISDN-Sync
User-Name = "user9"
Calling-Station-Id = "6228212"
Acct-Status-Type = Start
Acct-Authentic = RADIUS
User-Service-Type = Framed-User
Acct-Session-Id = "0000005A"
Framed-Protocol = PPP
Acct-Delay-Time = 0
10.1.0.18 user9 30202 6228213 start server=freeport
time=10:51:29 date=09/09/1998 task_id=0000005B
Wed Sep 9 11:51:29 1998
NAS-IP-Address = 10.1.0.18
NAS-Port = 30202
NAS-Port-Type = ISDN-Sync
User-Name = "user9"
Calling-Station-Id = "6228213"
Acct-Status-Type = Start
Acct-Authentic = RADIUS
User-Service-Type = Framed-User
Acct-Session-Id = "0000005B"
Framed-Protocol = PPP
Acct-Delay-Time = 0
10.1.0.18 user9 30202 6228213 stop server=freeport
time=10:56:27 date=09/09/1998 task_id=0000005B
Wed Sep 9 11:56:26 1998
NAS-IP-Address = 10.1.0.18
NAS-Port = 30202
NAS-Port-Type = ISDN-Sync
User-Name = "user9"
Calling-Station-Id = "6228213"
Acct-Status-Type = Stop
Acct-Authentic = RADIUS
User-Service-Type = Framed-User
Acct-Session-Id = "0000005B"
Framed-Protocol = PPP
Acct-Link-Count = 2
Framed-IP-Address = 10.1.0.35
Acct-Multi-Session-Id = "39"
Acct-Input-Octets = 580
Acct-Output-Octets = 751
Acct-Input-Packets = 39
Acct-Output-Packets = 48
Acct-Session-Time = 298
Acct-Delay-Time = 0
10.1.0.18 user9 30201 6228212 stop server=freeport
time=10:56:27 date=09/09/1998 task_id=0000005A
Wed Sep 9 11:56:26 1998
NAS-IP-Address = 10.1.0.18
NAS-Port = 30201
NAS-Port-Type = ISDN-Sync
User-Name = "user9"
Calling-Station-Id = "6228212"
Acct-Status-Type = Stop
Acct-Authentic = RADIUS
User-Service-Type = Framed-User
Acct-Session-Id = "0000005A"
Framed-Protocol = PPP
Acct-Link-Count = 2
Acct-Multi-Session-Id = "39"
Framed-IP-Address = 10.1.0.35
Acct-Input-Octets = 807
Acct-Output-Octets = 669
Acct-Input-Packets = 56
Acct-Output-Packets = 45
Acct-Session-Time = 300
Acct-Delay-Time = 0
Typical Attribute-Value Pairs for RADIUS
Most RADIUS attribute-value pairs have equivalents in TACACS+, but they differ slightly. For example, the TACACS+ attribute event_id is equivalent to the RADIUS attribute acctg-session-id. See "RADIUS Attribute-Value Pairs and Dictionary Management," for more information, including a table comparing RADIUS and TACACS+ attributes.
Managing Disk Space to Prevent Failed Accounting Record Updates
Failure to maintain sufficient available disk space on the SQLAnywhere, Oracle, or Sybase database server storing records for the CiscoSecure ACS can result in a general warning message and a failure to update CiscoSecure accounting records. To prevent such failures, the system administrator should:
•Ensure that sufficient disk space exists to record and update all login transactions.
A typical example of heavy accounting disk space requirements might be those of an ISP's ACS, running TACACS+ protocol, receiving about 200,000 login requests per day, and configured to send Start, Update, and Stop accounting records (approximately 200 bytes each) for each login.
To calculate the accounting-related database disk space requirements for the above example, you would multiply 200,000 (logins per day) x 3 (accounting records per login) x 200 (bytes per record). The result indicates that 120 MB of disk space per day on the SQLAnywhere, Oracle, or Sybase database server would be required to accommodate the daily accounting data in the above example.
•Periodically run the CiscoSecure AcctExport tool to export the accounting records from the SQLAnywhere, Oracle, or Sybase RDBMS to a flat file.
Posted: Wed Feb 16 09:51:09 PST 2005
All contents are Copyright © 1992--2005 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.