Enable Accounting

pixfirewall (config)#

aaa accounting include | exclude acctg_service inbound | outbound | if_name local_ip local mask foreign ip foreign mask group tag

Defines traffic that requires AAA server accounting acctg_service = any, ftp, http, or telnet - any: All TCP traffic

pixfirewall(config)#

aaa

accounting

include

any

outbound 0.0.0.0 0.

0.0.

0 0.0.0.0 0

.0.0.0 MYTACACS

pixfirewall(config)#

aaa

accounting

exclude

any

outbound 10.0.0.33

255.

255.255.255

0.0.0.0

0.0.0.0

MYTACACS

©2000, Cisco Systems,

©2000, Cisco Systems,

The syntax for the aaa accounting command is as follows:

aaa accounting include | exclude acctgservice inbound | outbound | ifname localip localmask foreignip foreign_mask grouptag

no aaa accounting include | exclude authenservice inbound | outbound | if name group tag clear aaa [accounting include | exclude authen service inbound | outbound | if name group tag]

Argument

Description

include acctg_service

The accounting service. Accounting is provided for all services, or you can limit it to one or more services. Possible values are any, ftp, http, or telnet. Use any to provide accounting for all TCP services. To provide accounting for UDP services, use the protocol/port form.

exclude acctg_service

Create an exception to a previously stated rule by excluding the specified service from authentication, authorization, or accounting to the specified host. The exclude parameter improves the former except option by allowing the user to specify a port to exclude to a specific host or hosts.

Argument

Description

inbound

Authenticate or authorize inbound connections. Inbound means the connection originates on the outside interface and is being directed to the inside or any other perimeter interface.

outbound

Authenticate or authorize outbound connections. Outbound means the connection originates on the inside and is being directed to the outside or any other perimeter interface.

if_name

Interface name from which users require authentication. Use if_name in combination with the local_ip address and the foreign_ip_address to determine where access is sought and from whom.

local_ip

The IP address of the host or network of hosts that you want to be authenticated or authorized. You can set this address to 0 to mean all hosts and to let the authentication server decide which hosts are authenticated.

local_mask

Network mask of local_ip. Always specify a specific mask value. Use 0 if the IP address is 0. Use 255.255.255.255 for a host.

foreign_ip

The IP address of the hosts you want to access the local_ip address. Use 0 to mean all hosts.

foreign_mask

Network mask of foreign_ip. Always specify a specific mask value. Use 0 if the IP address is 0. Use 255.255.255.255 for a host.

group_tag

The group tag set with the aaa-server command.

How to View Accounting Information in CSACS-NT

©2000, Cisco Systems,

Complete the following steps to add authorization rules for specific non-telnet, FTP, or HTTP services in Cisco Secure ACS:

Step 1 In the navigation bar, click Reports and Activity. The Report and Activity window opens.

Step 2 Under Reports, click TACACS+ Accounting to display the accounting records.

Accounting of Non-Telnet, ^ FTP, or HTTP Traffic -

pixfirewall (config)#

aaa accounting include | exclude acctg service inbound | outbound | if name local ip local ma.sk foreign ip foreign mask group tag

• acctg_service = protocol/port

- protocol: tcp (6), udp (17), or others (protocol #)

• single port (e.g., 53), port range (e.g., 2000-2050), or port 0 (all ports)

• port is not used for protocols other than TCP or UDP

pixfirewall(config)# aaa accounting include udp/53 inbound

0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS pixfirewall(config)# aaa accounting include udp/54-100 outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS

© 2000, Cisco Systems, Inc. www.cisco.com CSPFA1.01—4-3:

2

The syntax for the aaa accounting of non-Telnet, FTP, or HTTP traffic command is as follows:

aaa accounting include | exclude acctgservice inbound | outbound | ifname localip localmask foreignip foreignmask grouptag no aaa accounting include | exclude authenservice inbound | outbound | if name group tag clear aaa [accounting include | exclude authen service inbound | outbound | if name group tag]

no aaa accounting include | exclude authenservice inbound | outbound | if name group tag clear aaa [accounting include | exclude authen service inbound | outbound | if name group tag]

Argument

Description

include acctg_service

The accounting service. Accounting is provided for all services or you can limit it to one or more services. Possible values are any, ftp, http, or telnet. Use any to provide accounting for all TCP services. To provide accounting for UDP services, use the protocol/port form.

exclude acctg_service

Create an exception to a previously stated rule by excluding the specified service from authentication, authorization, or accounting to the specified host. The exclude parameter improves the former except option by allowing the user to specify a port to exclude to a specific host or hosts.

inbound

Authenticate or authorize inbound connections. Inbound means the connection originates on the outside interface and is being directed to the inside or any other perimeter interface.

outbound

Authenticate or authorize outbound connections. Outbound means the connection originates on the inside and is being directed to the outside or any other perimeter interface.

Argument

Description

if_name

Interface name from which users require authentication. Use if_name in combination with the local_ip address and the foreign_ip address to determine where access is sought and from whom.

local_ip

The IP address of the host or network of hosts that you want to be authenticated or authorized. You can set this address to 0 to mean all hosts and to let the authentication server decide which hosts are authenticated.

local_mask

Network mask of local_ip. Always specify a specific mask value. Use 0 if the IP address is 0. Use 255.255.255.255 for a host.

foreign_ip

The IP address of the hosts you want to access the local_ip address. Use 0 to mean all hosts.

foreign_mask

Network mask of foreign_ip. Always specify a specific mask value. Use 0 if the IP address is 0. Use 255.255.255.255 for a host.

group_tag

The group tag set with the aaa-server command.

0 0

Post a comment