CCNA Security Certification Tutorial:

The "Accounting" In AAA - Plus A CCNA Security / ISCW Exam AAA Review

Chris Bryant, CCIE #12933

In the first two installments of this CCNA Security AAA tutorial, we took a look at the first two "A"s in AAA - Authentication and Authorization - and defined their roles in network security.

Here, we'll take a look at the final "A" - Accounting - and then I'll give you an exam review on this subject.

Accounting vs. Authentication vs. Authorization

Authentication decides who can get in and who can't; authorization decides what users can do once they get in; accounting tracks the resources used by the authorized user.

This tracking can be used for security purposes (detecting users doing things they shouldn't be doing), or for tracking network usage in order to bill other departments in your company.

As with authentication and authorization, accounting requires that AAA be globally enabled.  The aaa accounting command is used to define the accounting parameters -- and IOS Help is about to show us that there are quite a few options! 

In the previous section of this tutoria, we talked about privilege lists, and accounting can be configured to track any given privilege level.  Even that seemingly simple task takes a good deal of IOS digging, as shown below. 

Overall, AAA supports six different accounting formats, as shown below in IOS Help. We'll take a look at those options right after this brief and important message... and I look forward to helping you earn your CCNA Security and CCNP certifications!

I'm Paying It Forward Bigger Than Ever.

My Famous CCNA Study Package Is Now $25.

And if you're working on the CCNA Security certification instead - click that link and earn that certification for twenty bucks!

Now let's get back to AAA Accounting....

Overall, AAA supports six different accounting formats, as shown below in IOS Help.

R2(config)#aaa accounting ?
auth-proxy   For authentication proxy events.
commands     For exec (shell) commands.
connection   For outbound connections. (telnet, rlogin)
delay-start  Delay PPP Network start record until peer IP address is known.
exec         For starting an exec (shell).
nested       When starting PPP from EXEC, generate NETWORK records before
               EXEC-STOP record.
network      For network services. (PPP, SLIP, ARAP)
resource     For resource events.
send         Send records to accounting server.
suppress     Do not generate accounting records for a specific type of user
system       For system events.
update       Enable accounting update records.

Here's a brief look at each category and what accounting information can be recorded.

Commands :  Information regarding EXEC mode commands issued by a user.

Connection:   Information regarding all outbound connections made from network access server.  Includes Telnet and rlogin.

EXEC:   Information about user EXEC terminal sessions.

Network:   Information regarding all PPP, ARAP, and SLIP sessions.

Resource:   Information regarding start and stop records for calls passing authentication, and stop records for calls that fail authentication.

System :  Non-user-related system-level events are recorded.

To finish the aaa accounting command, let's assume we want to enable auditing of privileged mode commands.  As IOS Help will show you, to do this you have to know the level number of the mode you wish to audit; we know that privileged exec mode is level 15.

R2(config)#aaa accounting commands ?
  <0-15>  Enable level

R2(config)#aaa accounting commands 15
% Incomplete command.

R2(config)#aaa accounting commands 15 ?
  WORD     Named Accounting list.
  default  The default accounting list.

R2(config)#aaa accounting commands 15 default ?
  none        No accounting.
  start-stop  Record start and stop without waiting
  stop-only   Record stop when service terminates.
  wait-start  Same as start-stop but wait for start-record commit.

R2(config)#aaa accounting command 15 default start-stop ?
  broadcast  Use Broadcast for Accounting
  group      Use Server-group

R2(config)#aaa accounting command 15 default start-stop group tacacs

Both authorization and accounting offer so many different options that it's impossible to go into all of them here, and you're not responsible for complex configurations involving either one on your ISCW or CCNA Security exam. 

You should know the basic commands and that AAA must be globally enabled before either can be configured.  Also, there are no enable, login, or local options with accounting - we're limited to using TACACS+ and/or RADIUS servers for accounting purposes.

R2(config)#aaa accounting exec default start-stop group ?
  WORD     Server-group name
  radius   Use list of all Radius hosts.
  tacacs+  Use list of all Tacacs+ hosts.

Below, you'll find a review of this three-part AAA tutorial. Be sure to visit the our CCNA Security / CCNP ISCW tutorial section for plenty of additional help on these challenging exams!

(And be sure to take advantage of our CCNP Guaranteed Pass and $20 CCNA Security certification offers, too!)

Thanks for making The Bryant Advantage part of your CCNA Security and CCNP studies!

Chris Bryant

CCIE #12933

"The Computer Certification Bulldog"

chris@thebryantadvantage.com

CCNA Security / ISCW AAA Exam Review

An AAA Authentication statement generally has more than one option listed.  They're checked in the order in which they are listed, from left to right.   If the first option is unavailable, the next is checked.  However, if the first option FAILS the user's authentication attempt, the user is denied authentication and the process ends.

If you enable AAA with the aaa new-model command and then do not complete the Authentication configuration, no one can authenticate.

It's also legal to specify none as the only authentication option, but that basically disables authentication!

HQ(config)#aaa authentication login default none

You can use a named list with aaa authentication login, but not with aaa authentication enable. 

HQ(config)#aaa authentication login ?
  WORD     Named authentication list.
  default  The default authentication list.

HQ(config)#aaa authentication enable ?
  default  The default authentication list.

Real-world note that may come in handy on exam day:

Don't get too clever and name your lists "AAA".  That tends to confuse others.  Including me. :)

For example, in the aaa authentication login command, I would not use this command:

HQ(config)#aaa authentication login AAA group tacacs+ none

That command uses a list named "AAA" for authentication.  Again, it's just not something I like to do, but it is legal.

What does each "A" mean?

Authentication - Can the user come in?

Authorization - What can the user do when they come in?  Can they assign privilege levels?  IP addresses?   Delete configurations?  Assign ACLs?  Change the username/password database, perhaps?

Accounting - What network resources did the user access, and for how long?

The Accounting information that can be recorded falls into six main categories: 

With accounting, we can save information to RADIUS or TACACS+ servers.

HQ(config)#aaa accounting exec default start-stop group ?
  WORD     Server-group name
  radius   Use list of all Radius hosts.
  tacacs+  Use list of all Tacacs+ hosts.

And finally, a quick RADIUS vs. TACACS+ comparison:

RADIUS:

TACACS+:

I'm Paying It Forward Bigger Than Ever.

My Famous CCNA Study Package Is Now $25.