Accounting in ethernet environment

tcherkon · ‎11-26-2003

Hello!

I have an ethernet switched LAN with a Cisco 2600 router as a gateway to Internet. In the nearest future we would like to use some billing system based on a RADIUS or TACACS server.

Is it possible to "transparently" authenticate LAN users using their IP addresses for example? I mean, users shouldn't enter any username or password and they shouldn't use any special software like vpn clients.

In the case it is possible which AAA commands should I use on the router?

Thank you.

Konstantin

gfullage · ‎11-27-2003

It's not possible to transparently do this. Accounting is based on someone/something entering a username/password and this being sent to an external AAA server.

It's not possible to do this on a switch other than with say, dot1x, but then you need certificates and additional setup on the client and on the ACS server, certainly not transparent.

You could do this on the 2600 router using auth-proxy (http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt3/scdauthp.htm), where the user browses out to the Internet, and the router intercepts this and prompts the user for a username/password. After entering one they're allowed out to the Internet, and you can simply configure accounting to go along with it. It's still not transparent, but you're not going to be able to be transparent and still do accounting.