Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
13262
Views
0
Helpful
3
Replies

configure aaa accounting

Thomas Schmitt
Level 1
Level 1

‎02-19-2016 08:32 PM - edited ‎03-10-2019 11:30 PM

Hello guys,

could someone please kindly explain aaa accounting configuration to me?

I have 2 configuration lines for accounting:

aaa accounting exec default start-stop group SERVER1
aaa accounting commands 15 default start-stop group SERVER1

first of all, I don't understand the difference between "exec" and "command", because cisco documentation for exec is near the same, as for command:

EXEC--Provides information about user EXEC terminal sessions of the network access Server.
Command--Provides information about the EXEC mode commands that a user issues. Command accounting generates accounting records for all EXEC mode commands, including global configuration commands, associated with a specific privilege Level.

"user EXEC terminal sessions" is my console in exec mode, isn't it? But what does the second sentence part "of the network access Server" means? about what "Network Access Server" do cisco talk? Does't "command" logs the same? -What is the difference?

I also don't understand what "start-stop" does. I found some description, but i still don't got it:

AAA resource accounting for start-stop records supports the ability to send a “start” record at each call setup, followed by a corresponding “stop” record at the call disconnect. This functionality can be used to manage and monitor wholesale customers from one source of data reporting, such as accounting records.

So I logged in to my accounting Server and got this picture:

I can see, that i logged in to 172.17.68.4 from my admin host (public IP is black) and a new "start-stop" record was created (start). After that i executed some commands and after each command record received "stop". But what is the usage of this "start-stop" record?

btw. what does the Zero stands for between destination and source IP in "Audit Session Key"? And does somebody know something about the "Task ID" field?

My next question is about the privilege Level in "aaa accounting commands 15" - do i understend it right, that only privilege Level 15 commands will be logged and all other won't?

Because i did a comparation between my authorized commands and accounting, so there are some differences. I marked them red.

I will summarize my Qustions:

  1. What is the difference between "aaa accounting exec" and "aaa accounting commands"
    1. What does the command "aaa accounting exec default start-stop group SERVER1" do?
      1. What is the meaning of "user EXEC terminal sessions" in the description of "EXEC" scope
      2. Which "network access Server" is mentioned in the description of "EXEC" scope?
  2. What does the "start-stop" record do?
    1. Which Advantages can I get by implementing this record?
  3. Is this Statement true or false: command "aaa accounting commands 15 default start-stop group SERVER1" does accounting only for privilege Level 15 commands
  4. What should i change in my accounting configuration, to be able to see all issued commands?

Thank you very much in advance. If you have any question, please do not hesit to contact me

Labels:
0 Helpful
3 Replies 3

Jatin Katyal
Cisco Employee
Cisco Employee

‎02-19-2016 11:18 PM

"Exec accounting” will capture details about user accessing the shell prompt where you run all the commands & “command accounting” keep track of what commands users execute on a Cisco device. Exec terminal session where you have priv 15. The network server mentioned in EXEC scope when user login and logoff.


AAA resource accounting for start-stop records supports the ability to send a “start” record at each connection setup, followed by a corresponding “stop” record at the connection disconnect. This functionality can be used to manage and monitor wholesale customers from one source of data reporting, such as accounting records

yes that's true aaa accounting commands 15 default start-stop group SERVER1" does accounting only for privilege Level 15 commands. Basically we use 3 commands 0,1 & 15 that covers most of the command accounting. However sometimes if we use custom command accounting then you need to have that level of accounting command configured.

In order to cover all the commands please make sure you have all 3 commands:

aaa accounting commands 0 default start-stop group SERVER1"

aaa accounting commands 1 default start-stop group SERVER1"

aaa accounting commands 15 default start-stop group SERVER1"

Regards,

Jatin

~Jatin
0 Helpful

Thomas Schmitt
Level 1
Level 1
In response to Jatin Katyal

‎02-20-2016 10:22 AM

Hello ans thank you very much for exploration 

i'm still not sure about EXEC in accounting. -is it just a message, that user XYZ started started/closed exec console?

I have configured "aaa accounting exec", so the entries in "audit s session key" ware created by EXEC accounting?

you can see in first post a screenshot from AAA accounting report on my ACS. -which entries I wouldn't be able to see, if I say "no aaa accounting exec" in order?

thank you

0 Helpful

Javier Henderson
Level 4
Level 4
In response to Thomas Schmitt

‎02-26-2016 07:05 AM

Thomas,

"exec accounting" indicates when an exec session starts and stops. If you eliminate exec accounting then ACS won't show the related start and stop events.

Javier Henderson

Cisco Systems

0 Helpful
Customers Also Viewed These Support Documents