|
|
< Day Day Up > |
|
Configuring AccountingTo configure accounting on the Cisco ASA, use the aaa accounting command: aaa accounting match access_list_name if_name server_tag Example 7-17 demonstrates how to configure accounting on the Cisco ASA. Example 7-17. Enabling Accounting Using an ACL to Define Interesting TrafficChicago(config)# access-list 100 permit ip 10.1.1.0 255.255.255.0 172.18.124.0 255.255.255.0 Chicago(config)# aaa accounting match 100 inside mygroup In Example 7-17, an ACL is configured to enable accounting for all connections initiated from 10.1.1.0/24 to 172.18.124.0/24. The ACL is then applied to the aaa accounting match command. A previously defined AAA server group named mygroup is used with this command. Note You can also use the aaa accounting include | exclude command options, as demonstrated for the aaa authentication command. The aaa accounting match command makes the include and exclude options obsolete. RADIUS AccountingTable 7-8 lists all the RADIUS accounting messages supported by Cisco ASA.
The accounting-on message marks the start of accounting services. Subsequently, to mark the end of accounting services, use the accounting-off message. The start and stop accounting records are used to label when a user started a connection to a specific service. These sessions are labeled with their own accounting session IDs. TACACS+ AccountingTable 7-9 lists all the TACACS+ accounting messages that Cisco ASA supports.
Cisco ASA also allows you to configure command accounting depending on the user's privilege level. Use the following command to enable this feature: aaa accounting command {privilege level} tacacs_server_tag Example 7-18 demonstrates how to configure command accounting on the Cisco ASA depending on the user's privilege level. Example 7-18. Enabling Command AccountingChicago(config)# aaa accounting command privilege 15 mygroupIn Example 7-18, the accounting command is enabled for users that execute a privilege level 15 command. |
|
|
< Day Day Up > |
|