https://community.cisco.com/t5/network-access-control/configure-aaa-accounting/m-p/2877444#M40306 <P>Hello guys,</P> <P></P> <P>could someone please kindly explain aaa accounting configuration to me?</P> <P></P> <P>I have 2 configuration lines for accounting:</P> <PRE class="prettyprint">aaa accounting exec default start-stop group SERVER1<BR />aaa accounting commands 15 default start-stop group SERVER1</PRE> <P>first of all, I don't understand the difference between "exec" and "command", because cisco documentation for exec is near the same, as for command:</P> <PRE class="prettyprint"><STRONG>EXEC</STRONG>--Provides information about user EXEC terminal sessions of the network access Server.</PRE> <PRE class="prettyprint"><STRONG>Command</STRONG>--Provides information about the EXEC mode commands that a user issues. Command accounting generates accounting records for all EXEC mode commands, including global configuration commands, associated with a specific privilege Level.</PRE> <P>"<EM>user EXEC terminal sessions</EM>" is my console in exec mode, isn't it?&nbsp;But what does the second sentence part&nbsp;"<EM>of the network access Server</EM>" means?&nbsp;about what&nbsp;"Network Access Server" do cisco talk? Does't "command" logs the same? -What is the difference?</P> <P></P> <P>I also don't understand what "start-stop" does. I found some description, but i still don't got it:</P> <P><SPAN style="font-family: verdana,geneva,sans-serif; font-size: 10pt;">AAA resource accounting for start-stop records supports the ability to send a “start” record at each call setup, followed by a corresponding “stop” record at the call disconnect. This functionality can be used to manage and monitor wholesale customers from one source of data reporting, such as accounting records.</SPAN></P> <P>So I&nbsp;logged in to my accounting Server and got this picture:</P> <P><IMG src="https://community.cisco.com/legacyfs/online/media/accounting_0.png" class="migrated-markup-image" /></P> <P>I can see, that i logged in to 172.17.68.4 from my admin host (public IP is black) and a new "start-stop" record was created (start).&nbsp;After that i executed some commands and after each command record received "stop". But what is the usage of this "start-stop" record?</P> <P>btw. what does the Zero stands for between destination and source&nbsp;IP in "Audit Session Key"? And does somebody know something about the "Task ID" field?</P> <P></P> <P>My next question is about&nbsp;the privilege Level in "aaa accounting commands 15" - do i understend it right, that only privilege Level 15 commands will be logged and all other won't?</P> <P>Because i did a comparation&nbsp;between my&nbsp;authorized commands and accounting, so there are some differences. I marked them red.</P> <P><IMG src="https://community.cisco.com/legacyfs/online/media/missed.png" class="migrated-markup-image" /></P> <P></P> <H3><SPAN style="text-decoration: underline;">I will summarize my Qustions:</SPAN></H3> <OL> <LI><STRONG><SPAN style="color: #339966;">What is the difference between "aaa accounting exec" and "aaa accounting commands"</SPAN></STRONG></LI> <OL style="list-style-type: lower-roman;"> <LI><SPAN style="color: #000000;">What does the command "aaa accounting exec default start-stop group SERVER1" do?</SPAN></LI> <OL style="list-style-type: lower-alpha;"> <LI><SPAN style="color: #000000;">What is the meaning of "user EXEC terminal sessions" in the description of "EXEC" scope</SPAN></LI> <LI><SPAN style="color: #000000;">Which "network access Server" is mentioned in the description of "EXEC" scope?</SPAN></LI> </OL> </OL> <LI><STRONG><SPAN style="color: #339966;">What&nbsp;does the "start-stop" record do?</SPAN></STRONG></LI> <OL style="list-style-type: lower-roman;"> <LI><SPAN style="color: #000000;">Which Advantages can I get by implementing&nbsp;this record?</SPAN></LI> </OL> <LI><STRONG><SPAN style="color: #339966;">Is this Statement true or false: command "aaa accounting commands 15 default start-stop group SERVER1" does accounting only for privilege Level 15 commands</SPAN></STRONG></LI> <LI><STRONG><SPAN style="color: #339966;">What should i change in my accounting configuration, to be able to see all issued commands?</SPAN></STRONG></LI> </OL> <P>Thank you very much in advance. If you have any question, please do not&nbsp;hesit to contact me</P> Mon, 11 Mar 2019 06:30:33 GMT Thomas Schmitt 2019-03-11T06:30:33Z https://community.cisco.com/t5/network-access-control/configure-aaa-accounting/m-p/2877444#M40306 Please explain these two commands aaa accounting exec default start-stop group SERVER1 aaa accounting commands 15 default start-stop group SERVER1 Mon, 11 Mar 2019 06:30:33 GMT https://community.cisco.com/t5/network-access-control/configure-aaa-accounting/m-p/2877444#M40306 Thomas Schmitt 2019-03-11T06:30:33Z https://community.cisco.com/t5/network-access-control/configure-aaa-accounting/m-p/2877445#M40307 <P><SPAN style="font-size: 10pt; color: #000000; font-family: helvetica,arial,sans-serif;">"Exec accounting” will capture details about user accessing the shell prompt where you run all the commands &amp; “command accounting” keep track of what commands users execute on a Cisco device. Exec terminal session where you have priv 15. The network server mentioned in EXEC scope when user login and logoff.</SPAN></P> <P><BR /><SPAN style="font-size: 10pt; color: #000000; font-family: helvetica,arial,sans-serif;">AAA resource accounting for start-stop records supports the ability to send a “start” record at each connection setup, followed by a corresponding “stop” record at the connection disconnect. This functionality can be used to manage and monitor wholesale customers from one source of data reporting, such as accounting records</SPAN></P> <P><SPAN style="font-size: 10pt; color: #000000; font-family: helvetica,arial,sans-serif;">yes that's true aaa accounting commands 15 default start-stop group SERVER1" does accounting only for privilege Level 15 commands. Basically we use 3 commands 0,1 &amp; 15 that covers most of the command accounting. However sometimes if we use custom command accounting then you need to have that level of accounting command configured.</SPAN></P> <P><SPAN style="font-size: 10pt; color: #000000; font-family: helvetica,arial,sans-serif;">In order to cover all the commands please make sure you have all 3 commands:</SPAN></P> <P><SPAN style="font-size: 10pt; color: #000000; font-family: helvetica,arial,sans-serif;">aaa accounting commands 0 default start-stop group SERVER1" </SPAN></P> <P><SPAN style="color: #000000; font-family: helvetica,arial,sans-serif; font-size: 10pt;">aaa accounting commands 1 default start-stop group SERVER1" </SPAN></P> <P><SPAN style="color: #339966; font-family: helvetica,arial,sans-serif; font-size: 10pt;"><SPAN style="color: #000000;">aaa accounting commands 15 default start-stop group SERVER1"</SPAN> </SPAN></P> <P><SPAN style="color: #339966; font-family: helvetica,arial,sans-serif; font-size: 10pt;"><SPAN style="color: #000000;"></SPAN></SPAN></P> <P><SPAN style="color: #339966; font-family: helvetica,arial,sans-serif; font-size: 10pt;"><SPAN style="color: #000000;">Regards,</SPAN></SPAN></P> <P><SPAN style="color: #339966; font-family: helvetica,arial,sans-serif; font-size: 10pt;"><SPAN style="color: #000000;">Jatin</SPAN></SPAN></P> Sat, 20 Feb 2016 07:18:13 GMT https://community.cisco.com/t5/network-access-control/configure-aaa-accounting/m-p/2877445#M40307 Jatin Katyal 2016-02-20T07:18:13Z https://community.cisco.com/t5/network-access-control/configure-aaa-accounting/m-p/2877446#M40308 <P>Hello ans thank you very much for exploration&nbsp;</P> <P>i'm still not sure&nbsp;about&nbsp;EXEC in accounting. -is it just a message, that user XYZ started started/closed exec console?</P> <P>I have configured "aaa accounting exec", so the entries in "audit s session key" ware created by EXEC accounting?</P> <P>you can see in first post a screenshot from AAA accounting report on my ACS. -which entries I wouldn't be able to see, if I say "no aaa accounting exec" in order?</P> <P></P> <P>thank you</P> Sat, 20 Feb 2016 18:22:10 GMT https://community.cisco.com/t5/network-access-control/configure-aaa-accounting/m-p/2877446#M40308 Thomas Schmitt 2016-02-20T18:22:10Z https://community.cisco.com/t5/network-access-control/configure-aaa-accounting/m-p/2877447#M40309 <P>Thomas,</P> <P></P> <P>"exec accounting" indicates when an exec session starts and stops. If you eliminate exec accounting then ACS won't show the related start and stop events.</P> <P></P> <P>Javier Henderson</P> <P>Cisco Systems</P> Fri, 26 Feb 2016 15:05:22 GMT https://community.cisco.com/t5/network-access-control/configure-aaa-accounting/m-p/2877447#M40309 Javier Henderson 2016-02-26T15:05:22Z